GLOBAL GUARD MEETING
Tuesday, July 27, 1999
3-5pm
3085 EU II
In attendance:

Karl Levitt (KL), Steven Templeton (ST), Jeff Rowe (JR), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), Marcus Tylutki, and David O'Brien

Concept telnet_connect_local
 

Requires telnet-reported [IR] Where Nothing Has_effect Assert port_connect.host=TR.host
Assert port_connect.port=TR[TCP,23]


End.

Concept host_port_scan_simple # vertical scan from 1 host
 

Requires Set-of port_connects [PC] Where For-all PC target = host 1

For-all PC source = host 2

| PC.target_ports | is "high"

Has effect Provides "info on existence of listening ports" for PC.port


End.

Concept port_connect
 

Requires Sensor port_connect_reported [PCR] Where Has_effect Assert port_connect.host = PCR.host

Assert port_connect.port = PCR.port

Assert port_connect.prot = PCR.protocol


End.

Concept TCP_port.connect
 

Extends port_connect Requires Where Has-effect Assert port_connect. Proto = PCR.TCP


End.

Concept conection_spoof_prelude
 

Requires Sensor DOS

Sensor SEQ NUM Probe

Sensor spoofed_packet_send [SPS]
Where DOS.effect includes port(x)

DOS.active while seqnumProbe.active

DOS.active while spoofedPacketSend.active

SPS.src-host == DOS.tartget_host #apparent sender

Has-effect Allows modification with_capabilities of DOS.targetuser

Allows read with_capabilities of DOS.targetuser


End.

Concept syn_flood
 

Requires Syn_flood_detected [SFD] Where Nothing Has_effect DOS.target.host ß SFD.dst.host

DOS.target.port ß SFD.dst.port

DOS.active ß [SFD.time1, SFO.time2]


End

Concept unplugged_cable
 

Requires Unplugged cable detector [UCD] Where
  Nothing


Has_effect

DOS.target.host ß UCD.dst.host

DOS.target.port ß *

DOS.active ß [UCD.time1, UCD.time2]


Concept linux5.1i386-IMAP-known-vulnerable
 

Requires Concept port-scan [PS] Domain Topology Map [TPM] # was[TPM] Service_avail [SA] Where ù TOPM.host[port_scan.host]OS.patches includes IMAPDfixed

portscan-port includes IMAP\143

TOPM.host[portscan.host],is = linux5.1

TOPM.host[PS.host].arch=i386

SA.service[PS.host] includes IMAP

Has_effect Assert knows (PS.S&C,PS.host, Linux 5.1-IMAP_vulnerable)


End.

Concept
 

Requires Knows (*, host, Linux 5.1_IMAP_vulnerable)