ºôµ¸¦w¥þºÊ±±¹ê¾Ô¡G²`¤J²z¸Ñ¨Æ¥óÀË´ú»PÅTÀ³ ( ²Åé ¦r) |
§@ªÌ¡G¡e¬ü¡f²z¬d¼w¡P¨©¯S§Q©_¡]Richard Bejtlich¡^¡@µÛ | Ãþ§O¡G1. -> ¦w¥þ -> ºô¸ô¦w¥þ -> Àb«È§ðÀ»»P¤J«I |
ĶªÌ¡G |
¥Xª©ªÀ¡G¾÷±ñ¤u·~¥Xª©ªÀ | 3dWoo®Ñ¸¹¡G 41423 ¸ß°Ý®ÑÄy½Ð»¡¥X¦¹®Ñ¸¹¡I¡i¯Ê®Ñ¡j NT°â»ù¡G 395 ¤¸ |
¥Xª©¤é¡G5/1/2015 |
¶¼Æ¡G278 |
¥úºÐ¼Æ¡G0 |
|
¯¸ªø±ÀÂË¡G |
¦L¨ê¡G¶Â¥Õ¦L¨ê | »y¨t¡G ( ²Åé ª© ) |
|
¥[¤JÁʪ«¨® ¢x¥[¨ì§Úªº³Ì·R (½Ð¥ýµn¤J·|û) |
ISBN¡G9787111498650 |
§@ªÌ§Ç¡@|¡@ĶªÌ§Ç¡@|¡@«e¨¥¡@|¡@¤º®e²¤¶¡@|¡@¥Ø¿ý¡@|¡@§Ç |
(²Åé®Ñ¤W©Òz¤§¤U¸ü³sµ²¯Ó®É¶O¥\, ®¤¤£¾A¥Î¦b¥xÆW, YŪªÌ»Ýn½Ð¦Û¦æ¹Á¸Õ, ®¤¤£«OÃÒ) |
§@ªÌ§Ç¡G |
ĶªÌ§Ç¡G |
«e¨¥¡GºÊ±±¡]Network Security Monitoring¡ANSM¡^¬OÃö¤_¦¬¶°¡B¤ÀªR©M¼W±j¹wĵ¡]Indications and Warnings¡AI&W¡^¥HÀË´ú©MÅTÀ³¤J«Iªº§Þ³N¡C
¡X¡XRichard Bejtlich©MBamm Visscher
Åwªï¾\Ū¥»®Ñ¡C¥»®Ñ¦®¦bÀ°§U§A¨Ï¥Î¥Hºôµ¸¬°¤¤¤ßªº¾Þ§@¡B¤u¨ã©M§Þ³NÀË´ú¦}ÅTÀ³¼Æ¦r¤J«I¡C§Ú¤w¸Õ¹Ï¨ÏI´ºª¾ÃѤβz½×»Ý¨D«O«ù³Ì§C¤ô¥¡A¦Ó¥Bµ²¦X¥H©¹¹ê½î¼¶¼g¦¹®Ñ¡C§Ú§Æ±æ¥»®Ñ§ïÅܧA¬Ý«Ýpºâ¾÷¦w¥þ©ÎªÌ¤O¹Ï¼vÅTªº¹ï¶Hªº¤è¦¡¡C§ÚªºµJÂI¤£¦b¤_¦w¥þ©P´Áªº³W¹º©M¨¾±s¶¥¬q¡A¦Ó¦b¤_³B²z¤w¸g³Q§ð³´ªº©ÎªÌ³B¤_³Q§ð³´Ãä½tªº¨t²Î©Òªö¨úªº¦æ°Ê¡C
¥»®Ñ¬O§Ú¤§«eÃö¤_NSM§@«~ªºÄò½g©M¸É¥R¡C
¡mThe Tao of Network Security Monitoring¡GBeyond Intrusion Detection¡n¡]Addison-
Wesley, 2005¡F832¶¡^¡CTao´£¨Ñ¤FI´º¡B²z½×¡B¾ú¥v¥H¤Î®×¨Ò¬ã¨s¨Ó«ü¾É§AªºNSM¾Þ§@¡C
¡mExtrusion Detection¡GSecurity Monitoring for Internal Intrusions¡n¡]Addison-Wesley, 2006; 416¶¡^¡C¦b¾\ŪTao¤§¦Z¡A§A·|µo²{¡mExtrusion Detection¡nÂX®i¤FNSM¬[ºc¡]©è±s«È¤áºÝªº§ðÀ»¡^ªº·§©À¥H¤Îºôµ¸¨úÃÒ¡C
¡mReal Digital Forensics¡GComputer Security and Incident Response¡n»PKeith J.Jones©MCurtis W.Rose¦XµÛ¡]Addison-Wesley, 2006; 688 ¶¡^¡C³Ì¦Z¡ARDF»¡©ú¤F¦p¦ó±NNSM»P¥H¥D¾÷©M¤º¦s¬°¤¤¤ßªº¨úÃÒ¾ã¦X¡A³o¥i¥H¨Ï¼f¬dªÌ½Õ¬d¸j©w¦bpºâ¾÷¤WªºDVD¤¤ªº¥Ç¸oÃÒ¾Ú¡C
¥»®Ñ·|¿Eµo§AªºNSM¦æ°Ê¡A¦Ó¥B§Úªº¤èªk¤w¸g¸g¹L®É¶¡ªºÀËÅç¡C2004¦~¡A§Úªº²Ä¤@¥»®Ñ´N¥]§t¤F§Ú´£Òªº¡§¥HÀË´ú¬°¤¤¤ß¡¨ªºõ¾Ç®Ö¤ß«ä·Q¡G¨¾Å@²×±N¥¢±Ñ¡C¤@¨ÇŪªÌ½èºÃ³oºØµ²½×¡A¥LÌ»{¬°¦pªG¡§«ê·í¦a¡¨ºî¦XÀ³¥Î¨¾Å@¡B³n¥ó¦w¥þ©ÎªÌºôµ¸¬[ºc¡Aªý¤î©Ò¦³¤J«IÁÙ¬O¦³¼ç¦b¥i¯à©Êªº¡C¥LÌ»{¬°¡A¦pªG§A¯à°÷ªý¤î§ðÀ»ªÌ¹ïºôµ¸ªº«D±ÂÅv³X°Ý¡A¨º¤\ÀË´ú´N¤£¥²n¡C¨º¨Ç¤´µM«H©^³oºØõ¾Çªº¤H«Ü¥i¯à¾D¨ü¬YºØªø´Á¡B¨t²Î¤Æªº¤J«I¡A´N¦p§Ų́C©P¦b´CÅé¤W¬Ý¨ìªº¨º¼Ë¡C
´X¥G¦b¤Q¦~¤§¦Z¡A¦w¥þ¦æ·~©M§ó¥[¼sªxªº«H®§§Þ³N¡]IT¡^ªÀ°Ï¶}©l»{ÃѨì¡A¦³¨M¤ßªº¤J«IªÌÁ`¯à°÷§ä¨ì¦M®`¨ä¥Ø¼Ðªº¤èªk¡C¦¨¼ôªº²Õ´²{¦b¤£¶È¸Õ¹Ïªý¤î§ðÀ»ªÌ¡AÁÙ¶}©l´M¨D§Ö³tÀË´ú§ðÀ»ªÌ¡A³q¹L½Õ¬d¨Æ¥óªº¼vÅTµ{«×¨Ó¶i¦æ¦³®ÄÅTÀ³¡A¦P®É¡A¹ý©³²o¨î¤J«IªÌ¥H¨î¨ä¥i¯à²£¥Íªº¦M®`¡C
éãºëºÜ¼{¦a¬Ý«Ý¥ø·~¦w¥þ¬O©ú´¼¤§Á|¡C¨Æ¥óÅTÀ³¤£¦A¬O¤@¥ó¨u¨£¡B¯S§Oªº¨Æ±¡¡A¬Û¤Ï¡A¥¦À³·í¬O¨ã¦³½T©w«×¶q©M¥Ø¼Ðªº«ùÄò°Ó·~¹Lµ{¡C¥»®Ñ·|´£¨Ñ¤@²Õ¼Æ¾Ú¡B¤u¨ã©M¨Ï¥Îºôµ¸ªºµ{§Ç¥H«K¤_§A¨Ï¥Î¡A¦P®É¥¦Ì¥iÀ°§U§A±N¦w¥þ¾Þ§@Âà¤Æ¦¨À³¹ïÀWÁc¾D¨ü¦M®`ªº§Q¾¹¡C¦pªG¤£ª¾¹D¤W©u«×¦³¦h¤Ö¦¸¤J«I¨Ï§Aªº¥ø·~¾D¨ü§é¿i¡A©ÎªÌ¤£ª¾¹D§A¯à°÷¦h§Ö¦aÀË´ú©M±±¨î³o¨Ç¤J«I¡A¥»®Ñ±N·|¦V§A®i¥Ü¦p¦ó¹ê¬I³o¨Ç¬¡°Ê¦}¥B¸òÂܳo¨âºØÃöÁä«×¶q¡C
ŪªÌ¹ï¶H
¥»®Ñ±¦V¤£¼ô±xNSMªº¦w¥þ±M·~¤H¤h¡A¤]¾A¥Î¤_§ó°ª¯Åªº¨Æ¥ó³B²z¤Hû¡B¬[ºc®v¥H¤Î»Ýn¦VºÞ²z¼h¡Bªì¯Å¤ÀªR®v©ÎªÌ¨ä¥L¤£¾Õªø§Þ³Nªº¤HÁ¿¸ÑNSMªº¤uµ{®v¡C¤]³\¼ô½mªºNSM¹ê½îªÌ¤£¯à±q¥»®Ñ¤¤¾Ç¨ì¥O¤HÅå³Yªº·s§Þ³N²Ó¸`¡A¦ý¬O§Ú¬Û«H¤µ¤Ñªº¦w¥þ±M·~¤H¤h«Ü¤Ö¦³¤H¤w¸g¾Ç·|¦p¦ó«ê·í¦a¹ê¬INSM¡C¹ï¤J«IÀË´ú¨t²Î©Î¨¾Å@¨t²Î¡]Intrusion Detection /Prevention System¡AIDS/IPS¡^¶È´£¨Ñ³øĵ·P¨ìªn®ðªºÅªªÌ¡A§A·|µo²{¨Ï¥ÎNSM±N¬O¤@ºØ¥O¤H´r®®ªºÅéÅç¡C
¹w³Æª¾ÃÑ
§ÚºÉ¶qÁקK«´_¨ä¥L§@ªÌ¤w¸gÁ¿¸Ñ³z¹ýªºª¾ÃÑ¡C§Ú°²©w§A²z¸ÑLinux©MWindows¾Þ§@¨t²Îªº°ò¥»¨Ï¥Î¤èªk¡A´x´¤TCP/IPºôµ¸¤Î¨ä¥Lºôµ¸§ðÀ»©M¨¾±sªº°ò¥»ª¾ÃÑ¡C¦pªG§A¹ïTCP/IP©Îºôµ¸§ðÀ»©M¨¾±sªºª¾ÃÑ´x´¤¤£°÷¡A½Ð¦Ò¼{°Ñ¦Ò¤U±ªº³o¨Ç®ÑÄy¡G
¡mThe Internet and Its Protocols¡GA Comparative Approach¡n¡AAdrian FarrelµÛ¡]Morgan Kaufmann, 2004; 840¶¡^¡CFarrelªº®Ñ¤£¬O³Ì·sªº¡A¦ý¬O¥¦²[»\¤F¼sªxªº¨óijS³ò¡X¡X¥]¬AÀ³¥Î¨óij©MIPv6¡A¹ï¤_¨C¤@ºØ¥¦³£¨ã¦³¦ì¯Åªº¹Ïªí©M°Ê¤Hªº´yz¡C
¡mWireshark Network Analysis¡n¡]²Ä2ª©¡^¡ALaura Chappell©MGerald CombsµÛ¡]Laura Chappell University, 2012; 986¶¡^¡C©Ò¦³ªººôµ¸©M¦w¥þ¤ÀªR¤Hû³£»Ýn²z¸Ñ©M¨Ï¥ÎWireshark¡A¥»®Ñ²[»\´yz¡B«Ì¹õ§Ö·Ó¡B¹ê»Ú®×¨Ò¬ã¨s¡B´_²ßÃD¡]ªþµª®×¡^¡B°Ê¤â¹ê½î¥H¤Î´X¤QÓºôµ¸°lÂÜ¡]ÁpºôÀò¨ú¡^¡C
¡mHacking Exposed¡n¡A²Ä7ª©¡AStuart McClureµ¥µÛ¡]McGraw-Hill Osborne Media, 2012; 768 ¶¡^¡C¦b§ðÀ»»P¨¾±sITÃþªº®Ñ¤¤¡A¡mHacking Exposed¡n«O«ùµÛ³æ¥U¾P¶q³Ì¨Îªº°O¿ý¡C·PÁÂ¥¦·s¿oªº¤¶²Ð¤èªk¡G??¤¶²Ð¤@ºØ§Þ³N¡F??¯}Ãa¤èªk¡F??×´_¤èªk¡C
¹ï³o¨Ç®Ñ¤¤ªº®Ö¤ß·§©À·P¨ìº¡·NªºÅªªÌ©Î³\·Q¦Ò¼{¤U¦C®ÑÄy¨Ó§ó²`¤J¦a²z¸Ñ¡G
¡mNetwork Forensics¡GTracking Hackers through Cyberspace¡n¡ASherri Davidoff©MJonathan HamµÛ¡]Addison-Wesley, 2012; 592¶¡^¡C¡mNetwork Forensics¡nªö¨ú¥HÃÒ¾Ú¬°¤¤¤ßªº¤èªk¡A¨Ï¥Îºôµ¸¬y¶q¡]¦³½u©MµL½uªº¡^¡Bºôµ¸³]³Æ¡]IDS/IPS¡B¥æ´«¾÷¡B¸ô¥Ñ¾¹¡B¨¾¤õùÙ©MWeb¥N²z¡^¡Bpºâ¾÷¡]¨t²Î¤é§Ó¡^©MÀ³¥Îµ{§Ç¨Ó½Õ¬d¨Æ¥ó¡C
¡mMetasploit¡GThe Penetration Tester¡¦s Guide¡n¡ADavid Kennedy¡BJim O¡¦Gorman¡BDevon Kearns©MMati AharoniµÛ¡]No Starch Press, 2011; 328¶¡^¡CMetasploit¬O¤@Ó§Q¥Î¥Ø¼ÐÀ³¥Îµ{§Ç©M¨t²Îªº¶}·½¥»O¡A¥»®Ñ»¡©ú¤F¦p¦ó¦³®Ä¦a¨Ï¥Î¥¦¡C
Ãö¤_³n¥ó©M¨óijªºÁn©ú
¥»®Ñ¤¤ªº¨Ò¤l³£¬O¥HSO¡]Security Onion¡A¦w¥þ¬v½µ¡^µo¦æª©¡]http://securityonion.blogspot.com/¡^¤¤¶°¦¨ªº³n¥ó¬°¨Ì¦«¡CDoug Burks³Ð«Ø¤FSO¡A³o¥i¥H¨ÏºÞ²zû©M¤ÀªR¤Hû¨Ï¥ÎÃþ¦ü Snort¡BSuricata¡BBro¡BSguil¡BSquert¡BSnorby¡BXplico¥H¤ÎNetworkMiner³o¼Ëªº¤u¨ã°õ¦æNSM§ó®e©ö¤@¨Ç¡CSO¬O§K¶Oªº¡A¥i³q¹L¥i¤Þ¾ÉªºXubuntu ISO¬M¹³©ÎªÌ³q¹L¦V§A³ß·RªºUbuntu²K¥[SO Personal Package Archive¡]PPA¡^¦}¦w¸Ë¡CºÉºÞFreeBSD¤´µM¬O¤@Ó±j¤jªº¾Þ§@¨t²Î¡AµM¦ÓDoug¬°SO©Ò°µªº¤u§@¡A³s¦PScott Runnelsªº°^Äm¡A¨Ï±oUbuntu Linux¤À¤ä¦¨¬°§ÚªºNSM¤u¨ãªºº¿ï¡C
§Ú¥Dn¨Ï¥Î¦bSO¤¤¶°¦¨ªº³n¥ó¡A¦Ó¥B¥»®Ñ¤¤ªº¨Ò¤l§¡¨Ï¥Î¶}·½¤u¨ã¨Óºt¥Ü§ðÀ»©M¨¾±s¡A¦Ó¤£¬O°Ó·~¤u¨ã¡CºÉºÞ°Ó·~¤u¨ã´£¨Ñ¤F³\¦h¦³¯qªº¯S©º¡B¥I¶O¤ä«ù¥H¤Î±À¨ø³d¥ôµ¹¶}µo°Óªº¥i¯à¡A¦ý§ÚÁÙ¬O«ØijŪªÌ¦Ò¼{º¥ý¨Ï¥Î¶}·½¤u¨ã¨Ó¬Ý¬Ý¥¦Ìªº¥\¯à¡C²¦³º¡A´X¥G«Ü¤Ö¦³²Õ´¬°Áʸm°Ó·~³n¥ó´£¨Ñ¤j¶qªº¹wºâ¨Ó±Ò°ÊNSM¦æ°Ê¡C
¥»®Ñ¥DnÃöª`IPv4¬y¶q¡C¤@¨Ç¥ÎSO¥´¥]ªº¤u¨ã¤ä«ùIPv6¡A¦ý¦³¤@¨Ç«h¤£¤ä«ù¡C·íIPv6¦b¥Í²£ºôµ¸¤¤ªºÀ³¥ÎÅܱo§ó¥[¼sªx®É¡A§Ú´Á±æSO¤¤§ó¦hªº¤u¨ã¥i¶°¦¨IPv6¯à¤O¡C¦]¦¹¡A¥»®Ñªº¥¼¨Óª©¥»©Î³\·|°Q½×IPv6¡C
¥»®Ñ¤º®e
¥»®Ñ¥Ñ¤U¦C³¡¤À©M³¹¸`²Õ¦¨¡C
²Ä¤@³¡¤À¡X¡X¤¶²ÐNSM¤Î¦p¦ó©ñ¸m¶Ç·P¾¹¡C
²Ä1³¹¡@¸ÑÄÀ¤F¬°¤°¤\NSM·|«µ®Ä¡A¥HÀò±o¦bÀô¹Ò¤¤³¡¸pNSMªº¥²n©Ê¤ä«ù¡C
²Ä2³¹¡@½×z¤F³ò¶±qª«²z³X°Ý¨ìºôµ¸¬y¶q±a¨Óªº¬D¾Ô©M¸Ñ¨M¤è®×¡C
²Ä¤G³¡¤À¡X¡X¥Dn°Q½×¤F¦p¦ó¦bµw¥ó¤W¦³®Ä¦w¸ËSO¦}¶i¦æ°t¸m¡C
²Ä3³¹¡@¤¶²Ð¤FSO¦}»¡©ú¤F¦p¦ó¥H¸û§Cªº¦¨¥»©Î¹s¦¨¥»¦b³Æ¥Îµw¥ó¤W¦w¸Ë³n¥ó¥H¨ã³Æ°ò¥»ªºNSM¯à¤O¡C
²Ä4³¹¡@ÂX®i¤F²Ä3³¹ªº¤º®e¡A¶i¤@¨B´yz¤F¦p¦ó¦w¸Ë¤À¥¬¦¡SO¨t²Î¡C
²Ä5³¹¡@°Q½×¤F¶¶§Q¦w¸ËSO©Ò¶i¦æªººûÅ@¬¡°Ê¡C
²Ä¤T³¡¤À¡X¡X¥Dn°Q½×¤FSO¤¤ªºÃöÁä³n¥ó¤Î¦p¦ó¨Ï¥Î³o¨ÇÀ³¥Î¡C
²Ä6³¹¡@¸ÑÄÀ¤FSO¤¤ªºTcpdump¡BTshark¡BDumpcap¤Î Argus¤u¨ãªºÃöÁä¯S©º¡C
²Ä7³¹¡@¸É¥R¤¶²Ð¤FNSM¤u¨ãÃ줤°ò¤_GUIªº³n¥ó¡A²[»\Wireshark¡BXplico©MNetwork-Miner¡C
²Ä8³¹¡@»¡©ú¤F¦pSguil¡BSquert¡BSnorby¤ÎELSA³o¼ËªºNSM®M¥ó¦p¦ó±Ò°ÊÀË´ú©MÅTÀ³¬yµ{¡C
²Ä¥|³¡¤À¡X¡X°Q½×¤F¦p¦ó¨Ï¥ÎNSMµ{§Ç©M¼Æ¾ÚÀË´ú¤ÎÅTÀ³¤J«I¡C
²Ä9³¹¡@¤À¨É¤Fµ§ªÌ³Ð«Ø©M»â¾É¥þ²ypºâ¾÷¨Æ¥óÅTÀ³¹Î¶¤¡]Global Computer Incident Response Team¡ACIRT¡^ªº¸gÅç¡C
²Ä10³¹¡@µ¹¥X²Ä¤@ÓNSM®×¨Ò¬ã¨s¡A§A±N·|¾Ç¨ì¦p¦óÀ³¥ÎNSMì²zÃѧO©MÅçÃÒ³s±µ¨ì¦]¯SºôªºÀ³¥Îµ{§Ç¾D¨ü¨ìªº§ðÀ»¡C
²Ä11³¹¡@µ¹¥X²Ä¤GÓNSM®×¨Ò¬ã¨s¡A¥»³¹´£¨Ñ¤F¤@Ó¦]«È¤áºÝ§ðÀ»¦Ó¾D¨ü«I®`ªº¥Î¤á®×¨Ò¡C
²Ä12³¹¡@¥Î©ÒÁ¿¹Lªº¤u¨ã©M§Þ³N¨ÓÂX®iSOªº¯à¤O¡C
²Ä13³¹¡@Á¿¸Ñ¦p¦ó§JªA¨âºØ¬D¾Ô¨Ó°õ¦æNSM¡C
µ²½×¡@´£¨Ñ¤F¤@¨ÇÃö¤_¥¼¨ÓNSMªº«ä·Q¡A¤×¨ä¦Ò¼{¨ì¤F¤ªÀô¹Ò¡C
ªþ¿ý¥]§t¤FSO¶}µo¤HûDoug BurksÃö¤_®Ö¤ßSO°t¸m¤å¥ó©M±±¨î¸}¥»ªº«H®§¡C
PÁÂ
º¥ý¡A¥²¶··PÁ§ڥi·Rªº©d¤lAmy¡A·PÁ¦o¹ï§Ú¤u§@ªº¤ä«ù¡A¥]¬A¼g§@¤å³¹¡B³Õ«È¤Î¨ä¥L¦b§Ú̵²±B¤§«e´N¤w¶}©l³Ð§@ªº§@«~¡C¦Û±q¦b2004¦~¦~¤¤¥Xª©¤F§Úªº²Ä¤@¥»®Ñ¥H¨Ó¡A§Ú̦³¤F¨âÓ¥i·Rªº¤k¨à¡CElise©MVivian¿Eµo§Ú±Ò°Ê³o¶µp¹º¡A¦]¬°§A̤TÓ¤H¡A§Ú¨C¤Ñ³£·PÁ¤W«Ò¡C§Úªº¤÷¥À©M©j©f¤]¤@ª½¦b¤ä«ù§Ú¡A¦Ó¥B§ÚÁÙn·P¿EMichael Macaris¡]§Úªº²Ä¤@¥ô¥\¤Ò¾É®v¡^¦V§Ú¼åÄ骺´¼¼z¤§¤ô¡C
°£¤F¦b§Ú²Ä¤@¥»®Ñ¤¤·PÁ¹LªºNSM±M®a¥H¥~¡A§ÚÁÙ¥²¶·¸É¥R·PÁ³q¥Î¹q®ðpºâ¾÷¨Æ¥óÅTÀ³¹Î¶¤¡]General Electric Computer Incident Response Team¡AGE-CIRT¡^¦¨û¡A¥L̳¦P§Ú±q2007¦~¨ì2011¦~¨«¹LÃø¥H¸m«Hªº¦w¥þ¤§®È¡C§Ú֦̾³¥@¬É¤W³Ì¦nªºNSM¹ê½î¡]operation¡^¡CBamm Visscher¡BDavid Bianco¡BKen Bradley¡BTyler Hudak¡BTim Crothers¡BAaron Wade¡BSandy Selby¡BBrad Nottle¥H¤Î30¦h¦ì¨ä¥LGE-CIRT¦¨û¡A»P§A̦@¨Æ¥O§Ú«D±`§Ö¼Ö¡CÁÙ·PÁÂGrady Summers¡X¡X§ÚÌ·í®Éªºº®u«H®§¦w¥þ©x¡]Chief Information Security Officer¡^¡A·PÁÂ¥L³Ð«Ø¤F§Ú̪º¹Î¶¤¡AÁÙ·PÁ Jennifer Ayers ©MMaurice Hampton¡A·PÁÂ¥L̨ϧŲ́ã³Æ¤Fð¡P¦N¶F¼w¦¡ªº·Q¶H¤O¡C
§Ún·PÁÂMandiant¡]°Ò}©ù¯S¡^ªº¦P¨Æªº¤ä«ù¡A¥]¬Aº®u°õ¦æ©xKevin Mandia©M¥D®uTravis Reese¡A¥L̦¦b2011¦~´N¶±¥Î¤F§Ú¡A¦ý¬Oº¦¸¹ï§Ú®i¥Ü«H¥ô¤À§O¬O¦b2002¦~ªºFoundstone©M2004¦~ªºManTech¡C·PÁ°Ò}©ù¯Sªº¾P°â¹Î¶¤©M§Ú̪º¦X§@¥ë¦ñ¡A¦]¬°¥L̬°§ÚÌ´£¨Ñ¤F¤@Ó¦V¥@¬É¤À¨É«H®§ªº¥»O©M¾÷·|¡C·PÁ¦b¼¶¼g¦¹®Ñ®É¨¾Å@°Ò}©ù¯S¦Û¨¦w¥þªº¨º¨Ç°í±jÆF»î¡X¡XDoug Burks¡BDani Jackson¡BDerek Coulson¥H¤ÎScott Runnels¡AÃÙ½à§A̪º©^Äm¡B±M·~¤ô·Ç©M¥X¦âªºÂ¾·~¹D¼w¡C¯S§O·PÁÂDoug Burks ©MScott Runnels¡A·PÁÂ¥L̹ïSO¶µ¥Øªº¨¯¶Ô¤u§@¡A³oÓ¶µ¥Ø§â±j¤jªºNSM¤u¨ã±a¨ì¤F·Qn¸Õ¥Î¥¦Ìªº¥ô¦ó¤H¨Ãä¡C§ÚÁÙn·PÁÂSO¤¤ªº©Ò¦³¶}·½³n¥ó¶}µo¤Hûªº¨¯¶Ô§V¤O¡G§A̪ºÀ°§U¨Ï§ÚÌ©Ò¦³ªººôµ¸§ó¥[¦w¥þ¡C
·PÁ¨º¨Ç³q¹L¹ï¸Ü¡B·s¿oªº¶µ¥Ø¥H¤Î¦X§@¤è¦¡½èºÃ§Ú¹ïNSM²z¸Ñªº¤HÌ¡A¥LÌ¥]¬ADoug Steelman¡BJason Meller¡BDustin Webber©MSeth Hall¡C¨º¨Ç¦Û2003¦~¾\Ū§Ú³Õ«È¡]http://taosecurity.blogspot.com/¡^©ÎªÌ¦Û2008¦~¾\Ū§Ú±À¯S°ÊºAªº¤H¹ªÀy§Ú¶i¦æ³Ð§@¡C¤]·PÁÂBlack Hat¡]¶Â´U¤j·|¡^ªº¦w¥þ±M·~¤H¤h¡A§Ú¦Û2002¦~´N¶}©lÀH¥L̤@°_±Â½Ò¡G«e»â¾É¤HJeff Moss©MPing Look¥H¤Î²{»â¾É¤HTrey Ford¡CÁÙ»Ýn¯S§O¦a´£¤ÎSteve Andres©MJoe Klein¡AµL½×¦ó®É¡A·í§Úªº¾Ç¥Í¼Æ¶qÅܱo¤Ó¦h¦ÓÃø¥H¿W¦ÛÀ³¹ï®É¡A¥L̳£·|À°§U§Ú±Â½Ò¡C
³Ì¦Z¡A·PÁÂÀ°§U§Ú³Ð§@¥»®Ñªº¥O¤HÅå³Yªº¹Î¶¤¡Cº¥ý¬O¨Ó¦ÛNo Starch¥Xª©ªÀªº³Ð©l¤HBill Pollock¡B²£«~¸g²zSerena Yang¥H¤Î«Å¶Ç¤Hû Jessica Miller¡CMarilyn Smith©MJulianne Jigour½s¿è¤F¥»®Ñ¡ATina Salamehø¨î¤FÀu¬üªº«Ê±¡CSusan Glinert Stevens¬O±Æª©®v¡AWard Webber¹ï¥»®Ñ¶i¦æ¤F®Õ¹ï¡C§Þ³N½s¿èDavid Bianco¡BDoug Burks¤ÎBrad Shoop´£¨Ñ¤FµL»PÛ¤ñªºµû½×¡ABradªº©d¤lRenee Shoop§Óº@¶i¦æ¤F¥t¤@Ó¼h±ªº¼f¾\¡CDoug Burks¡BScott Runnels¡BMartin Holste©MBrad Shoop¤]±q¤å¦r½s¿è¤è±¬°¥»®Ñ´£¨Ñ¤F¦³»ùȪºÉų¡C³Ì¦Z¦P¼Ë«nªº¬O¡ATodd Heberlein¬°¥»®Ñ§@§Ç¡C·PÁÂTodd¶}µo¤Fºôµ¸¦w¥þºÊ±±³n¥ó¡A³o´Ú³n¥ó¨ÏNSM·§©À¦b20¥@¬ö90¦~¥N¦´Á´N¶i¤J¤F¤H̪º¥Í¬¡¡C |
¤º®e²¤¶¡G³»¦y¦w¥þ¤½¥qFireEye¡]¤õ²´¡^º®u¦w¥þ¾Ô²¤©x¡Bºôµ¸¦w¥þ¤½¥qMandiantº®u¦w¥þ©x¼¶¼g¡A²`¤J¸ÑŪºôµ¸¦w¥þºÊ±±ªº®Ö¤ß«ä·Q¡B¤u¨ã©M³Ì¨Î¹ê½î¡A±qºôµ¸¦w¥þºÊ±±ªºì²z¡B¤u¨ã¿ï«¬¡BÀô¹Ò³¡¸p¨ì§ðÀ»ªºÃѧO¡Bµo²{»PºIÀ»¡A¸Ô²ÓÁ¿¸Ñºôµ¸¦w¥þºÊ±±¡]NSM¡^¥D¬y¤u¨ãªº¨Ï¥Î¡C ¥þ®Ñ¤À¬°¥|³¡¤À¡A¦@14³¹¡G²Ä¤@³¡¤À¡]²Ä1¡ã2³¹¡^¨t²ÎÁ¿z¤FNSMªº°ò¥»ì²z¥H¤Î¦p¦ó³¡¸p¶Ç·P¾¹¥HÀ³¹ï¦UºØ¬D¾Ô¡F²Ä¤G³¡¤À¡]²Ä3¡ã5³¹¡^Á¿¸ÑSO¦bµw¥ó¤Wªº¦w¸Ë»P°t¸m¡ASOªº³æ¾÷»P¤À¥¬¦¡Àô¹Òªº¦w¸Ë»P³¡¸p¡A¥H¤ÎSO¥»Oªº¹B¦æºûÅ@¡F²Ä¤T³¡¤À¡]²Ä6¡ã8³¹¡^¥Dn¤¶²ÐNSM¤u¨ãÃ쪺À³¥Î¡A²[»\©R¥O¦æ©M¹Ï§Î¤Æªº¼Æ¾Ú¥]¤ÀªR¤u¨ã¡]µo²{°ÝÃD¡^¡A¥H¤ÎNSM±±¨î»O¡]±Ò°ÊÀË´ú©MÅTÀ³¬yµ{¡^¡F²Ä¥|³¡¤À¡]²Ä9¡ã14³¹¡^¬°¹ê¾Ô³¡¤À¡AÁ¿¸Ñ¦p¦ó«Ø¥ß¦³®ÄªºNSM¹Î¶¤¡Aµo²{¦}¨î¤îªA°È¾¹ºÝ©M«È¤áºÝªº§ðÀ»¡A§Q¥ÎBro¨ÓÂX®iSO¦¨ªG¡A¥N²z»P®ÕÅç©MªºÃѧO©M§Q¥Î¡ANSM¦b¤ª©M¨ó§@Àô¹Ò¤UÀ³¥Îªº·s«ä·Q¡C ºôµ¸¦w¥þ¦}¤£Â²³æ¬O°í¤£¥iºRªº¨¾±sùÙ¡X¡X§Ó°í·N¨Mªº§ðÀ»ªÌ²×±N¬ð¯}¶Ç²Îªº¨¾±s¤â¬q¡Cºôµ¸¦w¥þºÊ±±¡]NSM¡^¾ã¦X¤F³Ì¦³®Äªºpºâ¾÷¦w¥þµ¦²¤¡X¡X¦¬¶°¦}¤ÀªR¼Æ¾Ú¡A¥H§U§AÀË´ú©MÅTÀ³¤J«I¡C ¦b¥»®Ñ¤¤¡A¤õ²´¤½¥qº®u¦w¥þ¾Ô²¤©x¡BMandiantº®u¦w¥þ©xRichard Bejtlich¦V§A®i¥Ü¤F¦p¦ó¨Ï¥ÎNSM¦bºôµ¸©P³ò¼W²K¤@Ó°í©Tªº«OÅ@¼h¡A¦ÓµL¶·¥ýÅ窾ÃÑ¡C¬°ÁקK¨Ï¥Î¡§¹L°ª¡¨©Î¡§¤£ÆF¬¡¡¨ªº¸Ñ¨M¤è®×¡A¥L¨Ï¥Î¶}·½³n¥ó©M¤¤¥ß¼t°Óªº¤u¨ã±Ð§A³¡¸p¡B³Ð«Ø¤Î¹B¦æNSM¡C ³q¹L¾\Ū¥»®Ñ¡A§A±N·|¾Ç¨ì¡G ¦p¦ó½T©w¦bþ¨½³¡¸pNSM¥»O¡A¦}®Ú¾Ú¨üºÊ±±ªººôµ¸¶i¦æ½Õ¾ã¡C ¦p¦ó³¡¸p³æ¾÷©Î¤À¥¬¦¡NSM³]³Æ¡C ¦p¦ó¨Ï¥Î©R¥O¦æ©M¹Ï§Î¤Æ¥]¤ÀªR¤u¨ã¤ÎNSM±±¨î»O¡C ¦p¦ó±qªA°È¾¹ºÝ©M«È¤áºÝ¤J«IºIÀòºôµ¸ÃÒ¾Ú¡C ¦p¦ó±N«Â¯Ù±¡³ø¾ã¦X¨ìNSM³n¥ó¨ÓÃѧO°ª¯Å¹ï¤â¡C ¨S¦³¦Ê¤À¤§¦Ê¦w¥þªº¤è¦¡¯à±N§ðÀ»ªÌªý¤î¦b§Aªººôµ¸¤§¥~¡A¦ý¬O·í¥LÌ«I¤J®É¡A§A»Ýn¦³©Ò·Ç³Æ¡C¥»®Ñ®i¥Ü¤F¦p¦óºc«Ø¤@±i¦w¥þ¤§ºô¡A¨ÓÀË´ú¡B²o¨î¦}±±¨î¥LÌ¡C§ðÀ»¤£¥iÁקK¡A¦ý¥á¥¢±Ó·P¼Æ¾Úªº±¡ªp«h¤£À³·íµo¥Í¡C |
¥Ø¿ý¡GĶªÌ§Ç
§Ç
«e¨¥
²Ä¤@³¡¤À¡@·Ç³Æ¶}©l
²Ä1³¹¡@ºôµ¸¦w¥þºÊ±±°ò¥»ì²z 2
1.1¡@NSM²¤¶ 3
1.1.1¡@NSMªý¤î¤J«I¶Ü 3
1.1.2¡@NSM©M«ùÄòºÊ±±ªº°Ï§O 6
1.1.3¡@NSM»P¨ä¥L¤èªk¬Û¤ñ¦p¦ó©O 7
1.1.4¡@NSM¬°¤°¤\¦³®Ä 8
1.1.5¡@¦p¦ó°t¸mNSM 8
1.1.6¡@NSM¦ó®ÉµL®Ä 10
1.1.7¡@NSM¦Xªk¶Ü 10
1.1.8¡@¦bNSM§@·~´Á¶¡¦p¦ó«OÅ@¥Î¤áÁô¨p 11
1.2¡@¤@Ó²³æªºNSM´ú¸Õ 11
1.3¡@NSM¼Æ¾ÚªºS³ò 12
1.3.1¡@§¹¾ã¤º®e¼Æ¾Ú 13
1.3.2¡@´£¨úªº¤º®e¼Æ¾Ú 15
1.3.3¡@·|¸Ü¼Æ¾Ú 17
1.3.4¡@¨Æ°È¼Æ¾Ú 18
1.3.5¡@²Îp¼Æ¾Ú 19
1.3.6¡@¤¸¼Æ¾Ú 21
1.3.7¡@ĵ³ø¼Æ¾Ú 23
1.4¡@©Ò¦³³o¨Ç¼Æ¾ÚªºÃöÁä¬O¤°¤\ 25
1.5¡@NSMªº¯ÊÂI 26
1.6¡@¦bþÁʶRNSM 26
1.7¡@¨ìþ¨½´M¨D¤ä«ù©Î§ó¦h«H®§ 27
1.8¡@µ²½× 27
²Ä2³¹¡@¦¬¶°ºôµ¸¬y¶q¡G³X°Ý¡B¦sÀx©MºÞ²z 28
2.1¡@¸ÕÅç©ÊNSM¨t²Îªººôµ¸¥Ü¨Ò 28
2.1.1¡@²³æºôµ¸¤¤ªººôµ¸¬y 29
2.1.2¡@NSMªº¼ç¦b¦ì¸m 32
2.2¡@IP¦a§}»Pºôµ¸¦a§}Âà´« 33
2.2.1¡@ºôµ¸¶ô 33
2.2.2¡@IP¦a§}¤À°t 34
2.2.3¡@¦a§}Âà´« 34
2.3¡@¿ï¾Ü¹ê²{ºôµ¸¥i¨£©Êªº³Ì¨Î¦ì¸m 37
2.3.1¡@Æ[¹îDMZºôµ¸¬y¶qªº¦ì¸m 37
2.3.2¡@Æ[¹îµL½uºôµ¸©M¤ººô¬y¶qªº¦ì¸m 37
2.4¡@¹ï¬y¶qªºª«²z³X°Ý 39
2.4.1¡@¥Î¥æ´«¾÷¹ê²{¬y¶qºÊ±± 39
2.4.2¡@¨Ï¥Îºôµ¸ÅÑÅ¥¾¹ 40
2.4.3¡@ª½±µ¦b«È¤áºÝ©ÎªA°È¾¹¤W®·Àò¬y¶q 40
2.5¡@¿ï¾ÜNSM¥»O 41
2.6¡@10±øNSM¥»OºÞ²z«Øij 42
2.7¡@µ²½× 43
²Ä¤G³¡¤À¡@SO³¡¸p
²Ä3³¹¡@³æ¾÷NSM³¡¸p»P¦w¸Ë 46
3.1¡@³æ¾÷©ÎªA°È¾¹¥[¶Ç·P¾¹ 46
3.2¡@¿ï¾Ü¦p¦ó±NSO¥N½X¦w¸Ë¨ìµw¥ó¤W 49
3.3¡@¦w¸Ë³æ¾÷¨t²Î 50
3.3.1¡@±NSO¦w¸Ë¨ìµw½L¤W 50
3.3.2¡@°t¸mSO³n¥ó 53
3.3.3¡@¿ï¾ÜºÞ²z±µ¤f 55
3.3.4¡@¦w¸ËNSM³n¥ó²Õ¥ó 56
3.3.5¡@Àˬd¦w¸Ë 59
3.4¡@µ²½× 61
²Ä4³¹¡@¤À¥¬¦¡³¡¸p 62
4.1¡@¨Ï¥ÎSOªº.iso¬M¹³¦w¸ËSOªA°È¾¹ 62
4.1.1¡@Ãö¤_SOªA°È¾¹ªº¤@¨Ç¦Ò¼{ 63
4.1.2¡@³Ð«ØSOªA°È¾¹ 63
4.1.3¡@°t¸mSOªA°È¾¹ 64
4.2¡@¨Ï¥ÎSOªº.iso¬M¹³¦w¸ËSO¶Ç·P¾¹ 66
4.2.1¡@°t¸mSO¶Ç·P¾¹ 66
4.2.2¡@§¹¦¨°t¸m 68
4.2.3¡@ÅçÃҶǷP¾¹¥¿¦b¤u§@ 68
4.2.4¡@ÅçÃÒautosshÀG¹D¥¿¦b¤u§@ 69
4.3¡@¨Ï¥ÎPPA³Ð«ØSOªA°È¾¹ 69
4.3.1¡@¦w¸ËUbuntuªA°È¾¹§@¬°SOªA°È¾¹¾Þ§@¨t²Î 70
4.3.2¡@¿ï¾ÜÀRºAIP¦a§} 71
4.3.3¡@§ó·s³n¥ó 73
4.3.4¡@³q¹LPPA°t¸mSOªA°È¾¹ 74
4.4¡@¨Ï¥ÎPPA³Ð«ØSO¶Ç·P¾¹ 75
4.4.1¡@¦w¸ËUbuntuªA°È¾¹§@¬°SO¶Ç·P¾¹¾Þ§@¨t²Î 75
4.4.2¡@±N¨t²Î°t¸m¬°¶Ç·P¾¹ 77
4.4.3¡@¹B¦æ³]¸m¦V¾É 78
4.5¡@µ²½× 81
²Ä5³¹¡@SO¥»Oªº¤é±`ºÞ²z 82
5.1¡@¤Î®É§ó·sSO 82
5.1.1¡@³q¹LGUI§ó·s 82
5.1.2¡@³q¹L©R¥O¦æ§ó·s 83
5.2¡@¨î¹ïSOªº³X°Ý 84
5.2.1¡@³q¹LSOCKS¥N²z³s±µ 85
5.2.2¡@§ïÅܨ¾¤õùÙµ¦²¤ 86
5.3¡@ºÞ²zSO¼Æ¾Ú¦sÀx 87
5.3.1¡@ºÞ²z¶Ç·P¾¹¦sÀx 88
5.3.2¡@Àˬd¼Æ¾Ú®wÅX°Ê¾¹ªº¨Ï¥Î 88
5.3.3¡@ºÞ²zSguil¼Æ¾Ú®w 89
5.3.4¡@¸òÂܺϽL¨Ï¥Î 89
5.4¡@µ²½× 90
²Ä¤T³¡¤À¡@¤u¨ã
²Ä6³¹¡@©R¥O¦æ¤Uªº¼Æ¾Ú¥]¤ÀªR¤u¨ã 92
6.1¡@SO¤u¨ãºØÃþ 92
6.1.1¡@SO¼Æ¾Úªí¥Ü¤u¨ã 92
6.1.2¡@SO¼Æ¾Ú¦¬¶°¤u¨ã 93
6.1.3¡@SO¼Æ¾Ú¶Ç°e¤u¨ã 93
6.2¡@¹B¦æTcpdump 94
6.2.1¡@¥ÎTcpdumpÅã¥Ü¡B¼g¤J©MŪ¨ú¬y¶q 95
6.2.2¡@¨Ï¥ÎTcpdump¹LÂo¾¹ 97
6.2.3¡@±qTcpdump¿é¥X¤¤´£¨ú²Ó¸` 99
6.2.4¡@¥ÎTcpdump¬ã¨s§¹¾ã¤º®e¼Æ¾Ú 99
6.3¡@¨Ï¥ÎDumpcap©MTshark 100
6.3.1¡@¹B¦æTshark 101
6.3.2¡@¹B¦æDumpcap 101
6.3.3¡@¨Ï¥ÎTshark¤ÀªRDumpcap®·Àòªº¬y¶q 102
6.3.4¡@¹ïTshark¨Ï¥ÎÅã¥Ü¹LÂo¾¹ 103
6.3.5¡@TsharkÅã¥Ü¹LÂo¾¹À³¥Î¥Ü¨Ò 105
6.4¡@¹B¦æArgus©MRa«È¤áºÝ 106
6.4.1¡@°±¤î¤Î±Ò°ÊArgus 106
6.4.2¡@Argus¤å¥ó®æ¦¡ 107
6.4.3¡@¬ã¨sArgus¼Æ¾Ú 107
6.5¡@µ²½× 110
²Ä7³¹¡@¹Ï§Î¤Æ¼Æ¾Ú¥]¤ÀªR¤u¨ã 111
7.1¡@¨Ï¥ÎWireshark 111
7.1.1¡@¹B¦æWireshark 111
7.1.2¡@¦bWireshark¤¤¬d¬Ý¼Æ¾Ú¥]®·Àò 112
7.1.3¡@קïÀq»{ªºWireshark¥¬§½ 112
7.1.4¡@Wireshark¤@¨Ç¦³¯qªº¯S©Ê 115
7.2¡@¨Ï¥ÎXplico 121
7.2.1¡@¹B¦æXplico 122
7.2.2¡@³Ð«ØXplico¹ê¨Ò©M·|¸Ü 123
7.2.3¡@³B²zºôµ¸¬y¶q 123
7.2.4¡@Àˬd¸Ñ½Xªº¬y¶q 124
7.2.5¡@Àò¨ú¤¸¼Æ¾Ú©M¶×Á`¬y¶q 126
7.3¡@¨Ï¥ÎNetworkMinerÀˬd¤º®e 127
7.3.1¡@¹B¦æNetworkMiner 127
7.3.2¡@¦¬¶°©M²Õ´¬y¶q²Ó¸` 128
7.3.3¡@´yø¤º®e 130
7.4¡@µ²½× 131
²Ä8³¹¡@NSM±±¨î»O 132
8.1¡@¥HNSM¬°¤¤¤ß¬d¬Ýºôµ¸¬y¶q 132
8.2¡@¨Ï¥ÎSguil 133
8.2.1¡@¹B¦æSguil 134
8.2.2¡@Sguilªº6ÓÃöÁä¥\¯à 135
8.3¡@¨Ï¥ÎSquert 144
8.4¡@¨Ï¥ÎSnorby 145
8.5¡@¨Ï¥ÎELSA 148
8.6¡@µ²½× 151
²Ä¥|³¡¤À¡@NSM¹ê½î
²Ä9³¹¡@NSM¾Þ§@ 154
9.1¡@¥ø·~¦w¥þ©P´Á 154
9.1.1¡@³W¹º¶¥¬q 155
9.1.2¡@©è§Ü¶¥¬q 155
9.1.3¡@ÀË´ú©MÅTÀ³¶¥¬q 155
9.2¡@¦¬¶°¡B¤ÀªR¡B¤É¯Å©M¸Ñ¨M 156
9.2.1¡@¦¬¶° 156
9.2.2¡@¤ÀªR 159
9.2.3¡@¤É¯Å 162
9.2.4¡@¸Ñ¨M 164
9.3¡@¸É±Ï 167
9.3.1¡@¨Ï¥ÎNSM§ï¶i¦w¥þ 167
9.3.2¡@³Ð«ØCIRT 168
9.4¡@µ²½× 169
²Ä10³¹¡@ªA°È¾¹ºÝ§ðÀ» 170
10.1¡@ªA°È¾¹ºÝ§ðÀ»ªº©w¸q 170
10.2¡@ªA°È¾¹ºÝ§ðÀ»¹ê¾Ô 171
10.2.1¡@±Ò°ÊSguil 172
10.2.2¡@±qSguil¬d¸ß·|¸Ü¼Æ¾Ú 173
10.2.3¡@¦A½Íĵ³ø¼Æ¾Ú 176
10.2.4¡@¨Ï¥ÎTsharkÀˬd§¹¾ã¤º®e¼Æ¾Ú 178
10.2.5¡@²z¸Ñ¦Zªù 180
10.2.6¡@¤J«IªÌ°µ¤F¤°¤\ 181
10.2.7¡@¤J«IªÌÁÙ°µ¤F¤°¤\ 184
10.3¡@ÂsÄý·|¸Ü¼Æ¾Ú 185
10.3.1¡@·j¯ÁBro DNS¤é§Ó 186
10.3.2¡@·j¯ÁBro SSH¤é§Ó 187
10.3.3¡@·j¯ÁBro FTP¤é§Ó 188
10.3.4¡@¸Ñ½X¾DÅѪº±Ó·P¼Æ¾Ú 190
10.3.5¡@´£¨ú³QµsªºÂkÀÉ 191
10.4¡@¦Z°h¤@¨B 192
10.4.1¡@¶¥¬q1Á`µ² 192
10.4.2¡@¶¥¬q2Á`µ² 192
10.4.3¡@¦ZÄò¨BÆJ 193
10.5¡@µ²½× 193
²Ä11³¹¡@«È¤áºÝ§ðÀ» 194
11.1¡@«È¤áºÝ§ðÀ»ªº©w¸q 194
11.2¡@«È¤áºÝ§ðÀ»¹ê¾Ô 195
11.2.1¡@Àò¨ú¥Î¤áªº¨Æ¥ó³ø§i 196
11.2.2¡@¨Ï¥ÎELSA¶}©l¤ÀªR 197
11.2.3¡@¬d§ä¥á¥¢ªº¬y¶q 201
11.3¡@¤ÀªRBro dns.log¤å¥ó 202
11.4¡@Àˬd¥ØªººÝ¤f 204
11.5¡@¬ã¨s©R¥O±±¨î³q¹D 206
11.5.1¡@ªì©l³X°Ý 207
11.5.2¡@§ïµ½shell 211
11.5.3¡@Á`µ²¶¥¬q1 212
11.5.4¡@Âà¦V¥t¤@Ó¨ü®`ªÌ 212
11.5.5¡@¦w¸ËÁô¯µÀG¹D 213
11.5.6¡@ªTÁ|¨ü®`ªÌ 214
11.5.7¡@Á`µ²¶¥¬q2 215
11.6¡@µ²½× 215
²Ä12³¹¡@ÂX®iSO 217
12.1¡@¨Ï¥ÎBro¸òÂÜ¥i°õ¦æ¤å¥ó 217
12.1.1¡@¥ÎBropºâ¤U¸üªº¥i°õ¦æ¤å¥óªº´²¦C 217
12.1.2¡@¦VVirusTotal´£¥æ´²¦C 218
12.2¡@¨Ï¥ÎBro±q¬y¶q¤¤´£¨ú¤G¶i¨îµ{§Ç 219
12.2.1¡@°t¸mBro±q¬y¶q¤¤´£¨ú¤G¶i¨îµ{§Ç 220
12.2.2¡@¦¬¶°¬y¶q¨Ó´ú¸ÕBro 221
12.2.3¡@´ú¸ÕBro¡G±qHTTP¬y¶q¤¤´£¨ú¤G¶i¨îµ{§Ç 222
12.2.4¡@¬ã¨s±qHTTP¤¤´£¨úªº¤G¶i¨îµ{§Ç 224
12.2.5¡@´ú¸ÕBro¡G±qFTP¬y¶q¤¤´£¨ú¤G¶i¨îµ{§Ç 224
12.2.6¡@¬ã¨s±qFTP¤¤´£¨úªº¤G¶i¨îµ{§Ç 226
12.2.7¡@¦VVirusTotal´£¥æ´²¦C©M¤G¶i¨îµ{§Ç 226
12.2.8¡@«±ÒBro 228
12.3¡@¨Ï¥ÎAPT1±¡³ø 230
12.3.1¡@¨Ï¥ÎAPT1¼Ò¶ô 230
12.3.2¡@¦w¸ËAPT1¼Ò¶ô 232
12.3.3¡@¥Í¦¨¬y¶q¨Ó´ú¸ÕAPT1¼Ò¶ô 232
12.3.4¡@´ú¸ÕAPT1¼Ò¶ô 233
12.4¡@³ø§i´c·N¤G¶i¨îµ{§Çªº¤U¸ü 235
12.4.1¡@¨Ï¥ÎTeam CymruªºMalware Hash Registry 235
12.4.2¡@MHR©MSO¡GÀq»{¦³®Ä 236
12.4.3¡@MHR©MSO»P´c·Nµ{§Ç¤U¸ü 237
12.4.4¡@ÃѧO¤G¶i¨îµ{§Ç 238
12.5¡@µ²½× 240
²Ä13³¹¡@¥N²z»P®ÕÅç©M 241
13.1¡@¥N²z 241
13.1.1¡@¥N²z»P¥i¨£©Ê 242
13.1.2¡@³B²z¥Í²£ºôµ¸¤¤ªº¥N²z 245
13.2¡@®ÕÅç©M 246
13.2.1¡@¦nªº®ÕÅç©M 246
13.2.2¡@Ãaªº®ÕÅç©M 246
13.2.3¡@¨Ï¥ÎTsharkÃѧO¦nªº©MÃaªº®ÕÅç©M 247
13.2.4¡@Ãaªº®ÕÅç©M¦p¦ó²£¥Í 249
13.2.5¡@Bro»PÃaªº®ÕÅç©M 249
13.2.6¡@³]¸mBro©¿²¤Ãaªº®ÕÅç©M 251
13.3¡@µ²½× 253
²Ä14³¹¡@Á`½× 254
14.1¡@¤ªpºâ 254
14.1.1¡@¤ªpºâªº¬D¾Ô 255
14.1.2¡@¤ªpºâªº¦n³B 256
14.2¡@¤u§@¬y¡B«×¶q»P¨ó§@ 257
14.2.1¡@¤u§@¬y©M«×¶q 257
14.2.2¡@¨ó§@ 258
14.3¡@µ²½× 259
ªþ¿ý¡@SO¸}¥»»P°t¸m 260 |
§Ç¡G |