Global Guard Meeting Notes - July 27, 1999 - UC Davis Computer Security Laboratory

GLOBAL GUARD MEETING
Tuesday, July 27, 1999
3-5pm
3085 EU II In attendance:

Karl Levitt (KL), Steven Templeton (ST), Jeff Rowe (JR), Steven Cheung (SC), Aaron Stearns (AS), Rick Crawford (RC), Marcus Tylutki, and David O'Brien

Concept telnet_connect_local

Requires telnet-reported [IR] Where Nothing Has_effect Assert port_connect.host=TR.host
Assert port_connect.port=TR[TCP,23]

End.

Concept host_port_scan_simple # vertical scan from 1 host

Requires Set-of port_connects [PC] Where For-all PC target = host 1

For-all PC source = host 2

| PC.target_ports | is "high"

Has effect Provides "info on existence of listening ports" for PC.port

End.

Concept port_connect

Requires Sensor port_connect_reported [PCR] Where Has_effect Assert port_connect.host = PCR.host

Assert port_connect.port = PCR.port

Assert port_connect.prot = PCR.protocol

End.

Concept TCP_port.connect

Extends port_connect Requires Where Has-effect Assert port_connect. Proto = PCR.TCP

End.

Concept conection_spoof_prelude

Requires Sensor DOS

Sensor SEQ NUM Probe

Sensor spoofed_packet_send [SPS] Where DOS.effect includes port(x)

DOS.active while seqnumProbe.active

DOS.active while spoofedPacketSend.active

SPS.src-host == DOS.tartget_host #apparent sender

Has-effect Allows modification with_capabilities of DOS.targetuser

Allows read with_capabilities of DOS.targetuser

End.

Concept syn_flood

Requires Syn_flood_detected [SFD] Where Nothing Has_effect DOS.target.host ß SFD.dst.host

DOS.target.port ß SFD.dst.port

DOS.active ß [SFD.time1, SFO.time2]

End

Concept unplugged_cable

Requires Unplugged cable detector [UCD] Where
Nothing

Has_effect

DOS.target.host ß UCD.dst.host

DOS.target.port ß *

DOS.active ß [UCD.time1, UCD.time2]

Concept linux5.1i386-IMAP-known-vulnerable

Requires Concept port-scan [PS] Domain Topology Map [TPM] # was[TPM] Service_avail [SA] Where ù TOPM.host[port_scan.host]OS.patches includes IMAPDfixed

portscan-port includes IMAP\143

TOPM.host[portscan.host],is = linux5.1

TOPM.host[PS.host].arch=i386

SA.service[PS.host] includes IMAP

Has_effect Assert knows (PS.S&C,PS.host, Linux 5.1-IMAP_vulnerable)

End.

Concept

Requires Knows (*, host, Linux 5.1_IMAP_vulnerable)