Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Intrusion Detection

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: Intrusion Detection
Date: Tue, 11 Jul 2006 08:35:48 +1200
On 10/07/06, David Robert <david31900@rogers.com> wrote: 
Hello all,

I've been reading this list for some time and I can't help but notice that
there is a lot of information and discussion about securing systems, but
very little about how to detect if you *are* compromised.


I like to run snort on a separate box and something like tripwire if
you have the time and patience to set it up and monitor it. Do try to
log to a separate, dedicated box if you can.

Things to watch for are 1) scanning for similar vulnerabilities from
your compromised box - typically lots of attempted connections to port
80
2) connections to IRC networks from hosts that shouldn't be connecting to IRC.

Snort has rules which pick up portscanning, some remote include
attempts and some SQL injection attempts as well as IRC connections,
so that can help with detecting the compromise itself and the
aftermath.

If I can just plug one of my own articles,
http://www.nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf , the
compromise was via a remote include and the downloaded malware
included a scanner for similar issues and an IRC client. No attempt
was made to subvert the system, so tripwire may not tell you anything.
In other cases, people have tried to use privilege escalation
exploits.

I agree with Ivan that logging traffic is desirable, but often the
volume of traffic will make this  infeasible.

Btw, I have wget%20 | curl%20, etc. in my mod_security config -
looking at GET and POST data. This will block most of the attacks I've
seen, but may also give you an idea of people who have started off
like this but moved on to more sophisticated attacks.

cheers,
Jamie
--
Jamie Riden / jamesr@europe.com / jamie.riden@computer.org
NZ Honeynet project - http://www.nz-honeynet.org/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to perform SSL certificate validation ?, Ron
Next by Date:  RE: How to perform SSL certificate validation ?, Dominick Baier
Previous by Thread:  Re: Intrusion Detection, Ivan Ristic
Next by Thread:  Re: Intrusion Detection, Daniel Cid
Indexes:  [Date] [Thread] [Top] [All Lists]