MSE 2.0 网络检测系统解释

freebe

Network Inspection System signatures


This is by design, and indicates that the Network Inspection System is working correctly.

All signatures will be "Off" unless your system is vulnerable to a particular network exploit. In order to ensure that NIS does not impact system performance unnecessarily, signatures are activated only if the system is not patched against a specific vulnerability. So if your system is fully patched, all signatures will be turned off and NIS stops doing any network traffic inspection.

If you look further up in NisLog.txt you'll see an explanation for each signature about why it is or is not active. For example NIS protects against the MS08-067 (CVE2008-4250) vulnerablity that was exploited by the Conficker worm. On a Win7 system you'll see this in the log:

[07/13/10-14:51:58] [Off] Sig {dc1723b8-9db5-44ef-baae-3b52f37adcf2} Vuln:Win/MSRPC.SRVSVC.RCE!2008-4250 - Signature not applicable on OS

This means the signature is disabled because this vulnerabilty is not applicable to Win7. On a fully patched Vista system you would see something like this:

[07/13/10-14:51:58] [Off] Sig {dc1723b8-9db5-44ef-baae-3b52f37adcf2} Vuln:Win/MSRPC.SRVSVC.RCE!2008-4250 - Signature retired - KB958644 was found

In this case the signature is not active (i.e. "retired") because the system is patched against the vulnerabilty.

Also as you can see in the log there are 229 NIS signatures. However, only 6 signatures have been selected by our research and response team in the MMPC at this point to include in MSE (the others are used by the Threat Management Gateway (TMG) for filtering at the edge). Here's an example of a signature that applies to TMG but not to MSE:

[07/25/10-21:46:11] [Off] Sig {77dea3a7-62cc-4b83-8586-62a997361dd5} Vuln:Win/ASP.NET.RCE!2007-0042 - Signature not Host-Detect or Host-Block

"Signature not Host-Detect or Host-Block" means this signature isn't used in MSE.

We'll probably do a blog post before too long with some additional explanation about this feature.

Hope that helps.

Randy



-------------------------------------------

网络检测系统签名


这是由设计，并指出该网络检测系统是否工作正常。

所有的签名将被“关闭”，除非你的系统很容易受到一个特定的网络攻击。为了确保新谢克尔不会影响系统性能不必要的，签名被激活仅在该系统不是针对一个特定的漏洞补丁。因此，如果您的系统是完全修补，所有签名将被关闭和新独立国家停止做任何网络流量检测。

如果你看看在NisLog.txt进一步你会看到一个每年约有为什么是或不活跃的签名解释。例如对国家情报院保护MS08 - 067（CVE2008 - 4250）vulnerablity这是由Conficker蠕虫利用。在Win7系统，您会看到在日志中这样的：

[07/13/10-14:51:58] [Off] Sig {dc1723b8-9db5-44ef-baae-3b52f37adcf2} Vuln:Win/MSRPC.SRVSVC.RCE!2008-4250 - Signature not applicable on OS
[07/13/10-14：51:58] [关]西格（dc1723b8 - 9db5 - 44ef - baae - 3b52f37adcf2）Vuln：赢/ MSRPC.SRVSVC.RCE！2008-4250 - 在OS签名不适用

这意味着签名被禁用，因为这vulnerabilty并不适用于Win7。在一个完全修补Vista的系统，您会看到这样的内容：

[07/13/10-14:51:58] [Off] Sig {dc1723b8-9db5-44ef-baae-3b52f37adcf2} Vuln:Win/MSRPC.SRVSVC.RCE!2008-4250 - Signature retired - KB958644 was found
[07/13/10-14：51:58] [关]西格（dc1723b8 - 9db5 - 44ef - baae - 3b52f37adcf2）Vuln：赢/ MSRPC.SRVSVC.RCE！2008-4250 - 签名退休 - KB958644被发现

在这种情况下，签名并不活跃（即“退休”），因为该系统是针对vulnerabilty修补。

此外，你可以在日志中看到有229谢克尔签名。然而，只有6签名已选定由我们的研究和反应小组在MMPC在这一点上，包括微小企业（其余的都是威胁管理网关（东京都）用于在边缘过滤）。下面是一个签名，适用于东京都，但没有对MSE的例子：

[07/25/10-21:46:11] [Off] Sig {77dea3a7-62cc-4b83-8586-62a997361dd5} Vuln:Win/ASP.NET.RCE!2007-0042 - Signature not Host-Detect or Host-Block
[07/25/10-21：46:11] [关]西格（77dea3a7 - 62cc - 4b83 - 8586 - 62a997361dd5）Vuln：赢/ ASP.NET.RCE！2007-0042 - 签名不是主机的检测或主机块

“签名不是主机的检测或主机的区块”是指这个签名是不是在微型和小型企业使用。

我们可能会做一个博客帖子之前也有一些有关此功能的详细说明长。

希望有所帮助。

兰迪

c0x9z8

完全看不懂。。。

默许

全英文啊 不懂 sohubeta

卡江东N

修复网络？蒙

wwxyz

楼主能不能整理好简短 的介绍一下啊 ~~~  有点看不懂，呵呵

ohlzc

试问有几个能看懂的

kangxi

英文就够难了，那段中文的简直比英文更难懂。。。

liu5678

看了下机器翻译的中文～～～～
完全读不通。。。
希望有高人来个人工翻译。

ljmming

看不懂

freebe

简单来说就是，网络入侵防护定义是针对视窗系统漏洞，会自动侦察系统版本相对应的漏洞有没有装补丁，如果有会停止检查相对的入侵。在总共229个入侵防护定义MSE只用6个，其他不是给个人电脑应用。