May 2003
Intermediate to advanced
360 pages
10h 27m
English
The Attempted Information Leak rule deals with signatures from potentially damaging information gathering attempts. Information leaks or reconnaissance attacks that are classified as Attempted Information Leaks are not proof positive that an information gathering attempt has been successful. Rather, they are a signal that an attempt has been made—that if the right conditions exist, sensitive information that could aid the attacker in compromising a system has been released.
It is indeed possible for Attempted Information Leaks to trigger on successful information gathering attempts. Take the Netbios null session rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; ...
Read now
Unlock full access