Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

This is a Digital Library

With over 100,000 free electronic resource in Persian, Arabic and English

Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] - نسخه متنی

Mike D. Schiffman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Sample Program–Clutch

The following small program illustrates some of the basic functionality provided in the libdnet library. Clutch is a small tool that sits on a machine and monitors its ARP cache and route table against a predefined ruleset for tampering. If a rule is violated, Clutch will warn the user; if configured to do so, it will reset the entry to its predefined state. Clutch builds its ruleset from a simple text-based, line-delimited configuration file that the user previously creates. Invoked with the -h switch or with no arguments, Clutch dumps its usage as follows:


tradecraft: ~# ./clutch
Clutch 1.0 [ARP cache / route table monitoring tool]
<ctrl-c> to quit
usage: ./clutch [options] -c config_file:
-c filename configuration file
-h this jonk here
-e enforce rules rather than just warn
-s sleep interval in seconds
-v be more verbose

The required -c option specifies the configuration file (described as follows). The -e option tells Clutch to enforce the rules rather than to just warn when they are violated. The -s option enables the user to tune how often Clutch wakes up to check things out. Finally, the -v option results in more words dumped to the screen for the user to view.

You can specify two different types of rules in the configuration file: an ARP cache rule and a route table rule. An ARP cache rule is specified with the "ARP" keyword, and a route table rule is specified with the "RTE" keyword. After the keyword, you specify two addresses separated by "−>" to denote a mapping. For an ARP rule, a MAC address followed by an IP address is expected; for a route table rule, two IP addresses are expected. A series of these rules, one per line, make up a configuration file that Clutch reads and parses into its database.

The following sample configuration file specifies five ARP cache rules and two route table rules:



# Clutch configuration file
#
# ARP cache entries
#
# ARP <MAC address> -> <corresponding protocol address>
ARP 00:00:2f:21:f2:al -> 192.168.0.1
ARP 00:01:bc:01:11:29 -> 192.168.0.2
ARP 00:01:f2:01:22:33 -> 192.168.0.3
ARP 00:a0:c9:42:a4:ff -> 192.168.0.4
ARP 00:40:96:5b:12:10 -> 192.168.0.5
#
# Route table entries
#
# RTE <destination IP address> -> <gateway IP address>
RTE 192.168.0.1 -> 127.0.0.1
RTE 192.168.2.0 -> 192.168.1.1
# EOF

Clutch is useful for high-level network state monitoring and correction. It is a watch guard tool that alerts the network administrator if anyone or anything tampers with the ARP cache or routing table (due to a malfunctioning local machine or router or as the result of an attacker with nefarious deeds in mind). Malcontents often use many known network-level attacks, such as ARP cache poisoning and route table manipulation.

You can invoke Clutch in "strict policy enforcement mode," where it attempts to reset any entries that violate its rules database. If Clutch cannot reset a rule, it still attempts to delete it from the system. Consider the following invocation of Clutch, using the sample configuration file mentioned earlier:


tradecraft: ~# clutch -v -e -c clutch.cf
Clutch 1.0 [ARP cache / route table monitoring tool]
<ctrl-c> to quit
Verbose mode is on.
Strict policy enforcement in effect.
added ARP mapping rule 00:00:2f:21:f2:a1 -> 192.168.0.1
added ARP mapping rule 00:01:bc:01:11:29 -> 192.168.0.2
added ARP mapping rule 00:01:f2:01:22:33 -> 192.168.0.3
added ARP mapping rule 00:aO:c9:42:a4:ff -> 192.168.0.4
added ARP mapping rule 00:40:96:5b:12:10 -> 192.168.0.5
added route table rule 192.168.0.1 -> 127.0.0.1
added route table rule 192.168.2.0 -> 192.168.1.1
State database loaded (7 rule(s)).
Program initialized, watching for violations...
[Feb 4 16:30:34 ARP cache rule violation: 00:01:bc:01:11:29 -> 10.0.0.1]
[entry should be: 00:01:bc:01:11:29 -> 192.168.0.2]
[bogus ARP cache entry deleted]
[correct ARP cache entry restored]
[Feb 4 22:22:50 route table rule violation: 192.168.2.0 -> 10.0.0.1]
[entry should be: 192.168.2.0 -> 192.168.1.1]
[bogus route table entry deleted]
[correct route table entry restored]

We invoked Clutch in verbose and strict mode and successfully loaded all seven rules. Immediately, Clutch found an anomalous entry in the ARP cache (MAC address 02:02:02:02:02:02 mapping to IP address 10.0.0.1), then summarily deleted and restored it to the correct mapping. A few hours later, Clutch found another rule violation—this time, an incorrect route table entry (destination address 192.168.2.0 through gateway 10.0.0.1). Clutch subsequently fixed it.

/ 135