IDS mailing list archives

RE: Tools to help incident response

From: "Mark Brunner" <mark_brunner () hotmail com>
Date: Fri, 13 Oct 2006 19:49:30 -0400

Johnny,

You may want to consider a pro-active approach as a long-term control.
Something life WebSense, which plugs into your firewall and identifes
traffic by type, protocol, port and content.  I have used it successfully at
several client locations.  We typically used it to first identify P2P users,
generate reports showing bandwidth usage, and then captured some of the
material to show liability.  Management autorized the blocking once false
positives were ruled out repeatedly.  It's modular and does much more than
P2P.  Worth a look.

If you already have an IDS, you could use that to detect, and if it has IPS
capabilities, block the traffic.
Firewall is also a great chokepoint, as are caching proxy servers.

Useful Links:
Identifying P2P users using traffic analysis
http://www.securityfocus.com/infocus/1843
P2P Detection Methodology Paper:
http://portal.acm.org/citation.cfm?id=1090948.1091375
Snort Forum article: http://www.snort.org/archive-3-409.html

Cheers!
Mark
-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Johnny Wong
Sent: Thursday, October 12, 2006 9:30 PM
To: focus-ids () securityfocus com
Subject: Tools to help incident response


Hello,

I am part of the incident response team in my organization. Part of
our daily task is to respond the virus/worm incidents by remote
scanning the suspected machines. We have been using Stinger.exe from
McAfee to do this. The pros of using Stinger are (1) it's
lightweight, (2) it's command-line executed hence I could use Psexec
with it. However, Stinger.exe hasn't been updated since May 06, and
we have encountered situations where it failed to detect newer worm
variants. Can anyone point me to other lightweight virus/worm
scanners out there?

Secondly, we have been having problems with P2P software running in
our networks. Time and again we have to use network logs to trace
P2P-enabled machines and tell the owners of these machines to
uninstall the offending software. Is there a scanning tool out there
that can detect the presence of P2P software on a machine?

Thank you all,

J Wong
Singapore


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Tools to help incident response Johnny Wong (Oct 13)
- RE: Tools to help incident response Mark Brunner (Oct 16)
- Re: Tools to help incident response Ron Gula (Oct 16)
- <Possible follow-ups>
- RE: Tools to help incident response Chris Brown (Oct 16)