IDS mailing list archives
Re: Tracking back internal incidents to users, not IPs
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sun, 26 Feb 2006 21:51:37 +1300
We went through this exact exercise 3 years ago. We implemented a WAN-wide deployment of snort IDS servers, monitoring both DMZ and WAN links. This rapidly proved to be more useful in monitoring and responding to *internal* threats, as an internal alert is actually something that can be FIXED - vs a remote attack where you end up needing to contact some email address who is supposed to be a site contact in some other company on the other side of the planet ;-) Anyway, all an IDS has to initially go on is the source IP. So we had to put some "glue" together to cross-reference that against more useful information, to turn an IDS event into a consice, useful alert. Our current alerts tell us what site and country the offending address lives in, whether it is a RAS/VPDN or local network address, what it's (typically) NetBIOS name is, who its suspected owner is, and what their email and phone number is. Quite a lot to go on :-) In the past, tracking down such information typically was a manual process - involved talking to the network team (to find out what site/country that address is from), the Windows server team (to find out NetBIOS details/etc), and the Helpdesk team (to find owner/etc). Now, it's automated and takes about 20 secs :-) Still doesn't make me coffee tho' :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Tracking back internal incidents to users, not IPs Charles Kaplan (Feb 21)
- Re: Tracking back internal incidents to users, not IPs Adam Powers (Feb 22)
- Re: Tracking back internal incidents to users, not IPs Kevin (Feb 22)
- Re: Tracking back internal incidents to users, not IPs John H. Sawyer (Feb 23)
- Re: Tracking back internal incidents to users, not IPs List Spam (Feb 23)
- Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 24)
- <Possible follow-ups>
- Re: Tracking back internal incidents to users, not IPs Michael Allgeier (Feb 22)
- RE: Tracking back internal incidents to users, not IPs Cojocea, Mike (IST) (Feb 24)
- Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 26)
- Re: Tracking back internal incidents to users, not IPs Jason Haar (Feb 26)