Full Disclosure mailing list archives
RE: [inbox] RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post
From: "Curt Purdy" <purdy () tecman com>
Date: Wed, 30 Jul 2003 10:23:07 -0500
Along the same line read The Cuckoo's Egg by Stoll to see where a $.25 discrepency can lead you when you have enough time and brains to dig. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer root () infosysec net ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Andy Wood Sent: Tuesday, July 29, 2003 5:18 PM To: full-disclosure () lists netsys com Cc: 'Schmehl, Paul L' Subject: [inbox] RE: [Full-disclosure] Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post "Try sitting in front of the console staring at a half a million alerts and see if the IDS *does* anything besides spewing information that *you* have to research, that *you* have to interpret and that *you* have to take action on." - Paul, if I'm not mistaken. This is the CHIEF complaint of USERS that fail to comprehend how to effectively deploy or use 1 or more IDSs in their environment. This shortsightedness leads to the inability to also use an IDS to provide assistance to the non-security Windows/UNIX admins (Spotting misconfigured services as an example). 'How can I collect my overpriced salary, yet not have to do any work'? Let's bring this to another professional field. 'Ole Paul goes to his doctor....something's amiss. The Doc draws your blood and there is surely something going on....something is in you wreaking havoc, but he's not sure. Maybe it is a mutated virus, a bacterial agent of some sort.....he just can't tell, never seen it before. Oh well for you...there's no machine to tell him and he's not into analyzing the results....too many patients to be worried about one perosn with a strange 'issue'.....no money in that! Yeah right! How about a Lawyer? Will he pass up his $300+ dollars/hr cause he has to research a case. Nope just lame Net Admins. The research is the fun part of the job. It keeps those who like a challenge from putting a gun in their mouths and pulling the trigger from dealing with the lamers. But for those who like only to collect a paycheck, well...I can imagine what a disruption from SLACKING it must be to not have someone issue you an answer!! It's really a shame people don't get it. Our customers have benefited GREATLY from IDS monitoring (and yes, it does require time and effort). Both inside and outside hackers have been caught, evidence gathered and action taken. Not by the machine, but by a human.....and a machine would not have caught these attempts, nor would IPS....it was done by discovering and ANALYZING/RESEARCHING trends in allowed/authorized traffic, creating special rules for the unknown, etc. I.E., would you have liked to have seen someone accessing your print servers? ....Snort detects this activity, as well as people trying to mod the displays of HP printers. Since you allow unrestricted access to most of your print servers an IDS WOULD prove beneficial! After all, it was allowed web traffic...nothing wrong with www traffic right, as per policy. Thank God you need not rely on forensic analysis....Talk about an unnecessary pain on the ass, whoo-doggie. All the care required to ensure admissible evidence...it's just not worth it, right? There are cases which it is appropriate and safe to use flexresp/shunting with IDSs to reject attacks, or stop use of services. For example, if you don't want your users using AOL, tcp reset the AOL login packets...that'll stop em.....if *you* stay on top of the AOL logon server list, but we're back to the *you*, *you*, *you* part again....sorry. It all seems to go back to the admin's job. Fixing user's font problems or catching a Mitnick wanna-be, let me think. (Let them praise his name in the dance: let them sing praises unto him with timbrel and harp....KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL.....whoops, while you were reading this you were just hacked... were you....do you know?) Pick a packet, any packet. It's like a nursery rhyme: Pauly should-a Picked Apart A Hack Attack Packet, but the admin couldn't track the stack smack cause he lacks the faqs. So, as the fast hacks fulfilled their 'Chronic' snacks attacks while surfing the campus fibre backs and covering their syn-ack tracks, little pauly whishes he had a tool that that could keep him from playin the suck-a fool. Adjunct for a reason, are we? See ya! -----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: Tuesday, July 29, 2003 4:06 PM To: Andy Wood; full-disclosure () lists netsys com
-----Original Message----- From: Andy Wood [mailto:andy () digitalindustry org] Sent: Tuesday, July 29, 2003 2:22 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Dcom.c - (Shutting it down on 5,000 systems)
- a Paul Schmehl Post
(Now that I see the rest of the orig post I'll comment on the IDS part):
Weak-ass admins ONLY complain that IDS' make work for them AND that they are worthless.....Boo hoo, *we* have to research, *we* have to interpret and *we* have to take action....WAAAAAAAAAAAAAAAAAA.
So, some joe-hacker that has intelligence so far beyond most any-type admin (especially Windows), and he wants into your network.....the complaint is that ya might have to do some analysis?
No, that wasn't the complaint. You completely missed the point. The original poster stated that IDSes "protect" you. He even went so far as to quote from the dictionary the definition of "protect". I countered that they do nothing but spew information. Someone has to do the analysis and research and so forth. Never **once** did I **complain** about it. For someone who claims to have "creativity", you sure lack basic reading skills. The rest of your vomit isn't worth responding to. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Andy Wood (Jul 29)
- RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Admin GSecur (Jul 29)
- <Possible follow-ups>
- RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Schmehl, Paul L (Jul 29)
- RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Andy Wood (Jul 29)
- RE: [inbox] RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Curt Purdy (Jul 30)
- RE: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Andy Wood (Jul 29)
- Re: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post Joe Fialkowski (Jul 29)