-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
蜜标触发方式存在不安全因素 #204
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
如题,通过在打开蜜标文件过程中使用WireShark抓包,我发现蜜标触发告警的关键方式是GET请求一个位于7878端口上的特定URL(默认状态下为http://[ip/FQDN]:7878/alert/bait_token/[num]),而此URL的生成有明显的数字递增规律,且仅需进行GET请求即可让服务端触发告警。这可能让攻击者通过HTTP批量请求工具对该URL进行数字递增的批量请求,从而混淆服务端的正常记录,对运维人员查看日志造成干扰。
建议操作:在生成蜜标文件时,生成一个唯一的、难以猜测的、类似于网页cookies的token,只有在请求时携带正确的token才会将对应蜜标文件表示为“已失陷”。
同时针对蜜饵蜜标功能提出以下建议:
Thanks!
The text was updated successfully, but these errors were encountered: