WebApp Sec mailing list archives
RE: Intrusion Detection
From: <Jeremy_Powell () sbcss k12 ca us>
Date: Mon, 10 Jul 2006 10:31:43 -0700
Post compromise detection, especially if the compromiser is employing root kit type functionality can be almost impossible from the compromised system itself as long as it is still running the compromised system software. Frequently, you will have to boot from a forensics based system to assess the state of a suspect system. Determining that a system is suspect and in need of such treatment is equally difficult, but frequently the compromiser will use the compromised system to go after bigger fish or to distribute sotware or run some unexpected server functionality. Some tools we have found useful in noticing computers doing both legitimate and illegitimate unexpected things include: 1) Regular or automated log management and analysis 2) Flow capture and analysis such as with ipcad and the flow tools from splintered.net 3) An internal Intrustion detection system is helpful in observing the spread of compromise that either made it unnoticed into the organization or began internally and was targetted internally. 4) Vulnerability scanners such as Nessus often turn up unexpected functionality on a system that is either compromise, misconfiguration, or ignorance. Here are some URLs: http://lionet.info/ipcad/ http://www.splintered.net/sw/flow-tools/ http://www.nessus.org http://www.frozentech.com/content/livecd.php?pick=All&sort=&showonly=forensic s I know my list is decidely UN*X based you can find windows based tools as well. Jeremy Powell
-----Original Message----- From: David Robert [mailto:david31900 () rogers com] Sent: Sunday, July 09, 2006 7:46 PM To: webappsec () securityfocus com Subject: Intrusion Detection Hello all, I've been reading this list for some time and I can't help but notice that there is a lot of information and discussion about securing systems, but very little about how to detect if you *are* compromised. This one of my major concerns. I can advocate all kinds of practices and procedures, but eventually someone will get through. So how can I tell? Especially if they are trying not to leave traces? Is there a few very simple, dumb things that everyone should do in this regard? If so, then I haven't heard them. If you could list them, or point me to some good resources, it would be much appreciated. Thanks, -------------------------------------------------------------- ----------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
0000008Vmm
-------------------------------------------------------------- ------------
------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- RE: Intrusion Detection Jeremy_Powell (Jul 10)