WebApp Sec mailing list archives

Re: Intrusion Detection

From: "Jamie Riden" <jamesr () europe com>
Date: Tue, 11 Jul 2006 08:35:48 +1200

On 10/07/06, David Robert <david31900 () rogers com> wrote:

Hello all,

I've been reading this list for some time and I can't help but notice that
there is a lot of information and discussion about securing systems, but
very little about how to detect if you *are* compromised.


I like to run snort on a separate box and something like tripwire if
you have the time and patience to set it up and monitor it. Do try to
log to a separate, dedicated box if you can.

Things to watch for are 1) scanning for similar vulnerabilities from
your compromised box - typically lots of attempted connections to port
80
2) connections to IRC networks from hosts that shouldn't be connecting to IRC.

Snort has rules which pick up portscanning, some remote include
attempts and some SQL injection attempts as well as IRC connections,
so that can help with detecting the compromise itself and the
aftermath.

If I can just plug one of my own articles,
http://www.nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf , the
compromise was via a remote include and the downloaded malware
included a scanner for similar issues and an IRC client. No attempt
was made to subvert the system, so tripwire may not tell you anything.
In other cases, people have tried to use privilege escalation
exploits.

I agree with Ivan that logging traffic is desirable, but often the
volume of traffic will make this  infeasible.

Btw, I have wget%20 | curl%20, etc. in my mod_security config -
looking at GET and POST data. This will block most of the attacks I've
seen, but may also give you an idea of people who have started off
like this but moved on to more sophisticated attacks.

cheers,
Jamie
--
Jamie Riden / jamesr () europe com / jamie.riden () computer org
NZ Honeynet project - http://www.nz-honeynet.org/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-levelattacks that hackers use to sneak into web applications today. Thiswhitepaper will discuss how traditional CSS attacks are performed, how tosecure your site against these attacks and check if your site is protected.Cross-Site Scripting Explained - Download this whitepaper today!


https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

Current thread:

DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
  - Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
  - Re: Intrusion Detection Ivan Ristic (Jul 10)
  - Re: Intrusion Detection Jamie Riden (Jul 10)
  - Re: Intrusion Detection Daniel Cid (Jul 11)
    - Re: Intrusion Detection David Ryan (Jul 12)
  - Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
  - Message not available
    - Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)