WebApp Sec mailing list archives
Re: Intrusion Detection
From: "Jamie Riden" <jamesr () europe com>
Date: Tue, 11 Jul 2006 08:35:48 +1200
On 10/07/06, David Robert <david31900 () rogers com> wrote:
Hello all, I've been reading this list for some time and I can't help but notice that there is a lot of information and discussion about securing systems, but very little about how to detect if you *are* compromised.
I like to run snort on a separate box and something like tripwire if you have the time and patience to set it up and monitor it. Do try to log to a separate, dedicated box if you can. Things to watch for are 1) scanning for similar vulnerabilities from your compromised box - typically lots of attempted connections to port 80 2) connections to IRC networks from hosts that shouldn't be connecting to IRC. Snort has rules which pick up portscanning, some remote include attempts and some SQL injection attempts as well as IRC connections, so that can help with detecting the compromise itself and the aftermath. If I can just plug one of my own articles, http://www.nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf , the compromise was via a remote include and the downloaded malware included a scanner for similar issues and an IRC client. No attempt was made to subvert the system, so tripwire may not tell you anything. In other cases, people have tried to use privilege escalation exploits. I agree with Ivan that logging traffic is desirable, but often the volume of traffic will make this infeasible. Btw, I have wget%20 | curl%20, etc. in my mod_security config - looking at GET and POST data. This will block most of the attacks I've seen, but may also give you an idea of people who have started off like this but moved on to more sophisticated attacks. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie.riden () computer org NZ Honeynet project - http://www.nz-honeynet.org/ ------------------------------------------------------------------------- Sponsored by: WatchfireCross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
- Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
- Re: Intrusion Detection Ivan Ristic (Jul 10)
- Re: Intrusion Detection Jamie Riden (Jul 10)
- Re: Intrusion Detection Daniel Cid (Jul 11)
- Re: Intrusion Detection David Ryan (Jul 12)
- Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
- Message not available
- Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)
- Message not available