IDS mailing list archives
RE: Tools to help incident response
From: "Mark Brunner" <mark_brunner () hotmail com>
Date: Fri, 13 Oct 2006 19:49:30 -0400
Johnny, You may want to consider a pro-active approach as a long-term control. Something life WebSense, which plugs into your firewall and identifes traffic by type, protocol, port and content. I have used it successfully at several client locations. We typically used it to first identify P2P users, generate reports showing bandwidth usage, and then captured some of the material to show liability. Management autorized the blocking once false positives were ruled out repeatedly. It's modular and does much more than P2P. Worth a look. If you already have an IDS, you could use that to detect, and if it has IPS capabilities, block the traffic. Firewall is also a great chokepoint, as are caching proxy servers. Useful Links: Identifying P2P users using traffic analysis http://www.securityfocus.com/infocus/1843 P2P Detection Methodology Paper: http://portal.acm.org/citation.cfm?id=1090948.1091375 Snort Forum article: http://www.snort.org/archive-3-409.html Cheers! Mark -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Johnny Wong Sent: Thursday, October 12, 2006 9:30 PM To: focus-ids () securityfocus com Subject: Tools to help incident response Hello, I am part of the incident response team in my organization. Part of our daily task is to respond the virus/worm incidents by remote scanning the suspected machines. We have been using Stinger.exe from McAfee to do this. The pros of using Stinger are (1) it's lightweight, (2) it's command-line executed hence I could use Psexec with it. However, Stinger.exe hasn't been updated since May 06, and we have encountered situations where it failed to detect newer worm variants. Can anyone point me to other lightweight virus/worm scanners out there? Secondly, we have been having problems with P2P software running in our networks. Time and again we have to use network logs to trace P2P-enabled machines and tell the owners of these machines to uninstall the offending software. Is there a scanning tool out there that can detect the presence of P2P software on a machine? Thank you all, J Wong Singapore ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Tools to help incident response Johnny Wong (Oct 13)
- RE: Tools to help incident response Mark Brunner (Oct 16)
- Re: Tools to help incident response Ron Gula (Oct 16)
- <Possible follow-ups>
- RE: Tools to help incident response Chris Brown (Oct 16)