Post compromise detection, especially if the compromiser is employing root
kit type functionality can be almost impossible from the compromised system
itself as long as it is still running the compromised system software.
Frequently, you will have to boot from a forensics based system to assess the
state of a suspect system. Determining that a system is suspect and in need
of such treatment is equally difficult, but frequently the compromiser will
use the compromised system to go after bigger fish or to distribute sotware
or run some unexpected server functionality. Some tools we have found useful
in noticing computers doing both legitimate and illegitimate unexpected
things include:
1) Regular or automated log management and analysis
2) Flow capture and analysis such as with ipcad and the flow tools from
splintered.net
3) An internal Intrustion detection system is helpful in observing the spread
of compromise that either made it unnoticed into the organization or began
internally and was targetted internally.
4) Vulnerability scanners such as Nessus often turn up unexpected
functionality on a system that is either compromise, misconfiguration, or
ignorance.
Here are some URLs:
http://lionet.info/ipcad/
http://www.splintered.net/sw/flow-tools/
http://www.nessus.org
http://www.frozentech.com/content/livecd.php?pick=All&sort=&showonly=forensic
s
I know my list is decidely UN*X based you can find windows based tools as
well.
Jeremy Powell
-----Original Message-----
From: David Robert [mailto:david31900@rogers.com]
Sent: Sunday, July 09, 2006 7:46 PM
To: webappsec@securityfocus.com
Subject: Intrusion Detection
Hello all,
I've been reading this list for some time and I can't help
but notice that there is a lot of information and discussion
about securing systems, but very little about how to detect
if you *are* compromised.
This one of my major concerns. I can advocate all kinds of
practices and procedures, but eventually someone will get
through. So how can I tell?
Especially if they are trying not to leave traces?
Is there a few very simple, dumb things that everyone should
do in this regard? If so, then I haven't heard them. If you
could list them, or point me to some good resources, it would
be much appreciated.
Thanks,
--------------------------------------------------------------
-----------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the
application using manual processes, or by using automated
systems and tools. Watchfire's "Web Application Security:
Automated Scanning or Manual Penetration Testing?" whitepaper
examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
0000008Vmm
--------------------------------------------------------------
------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
