WebApp Sec mailing list archives
Re: Intrusion Detection
From: "Ivan Ristic" <ivan.ristic () gmail com>
Date: Mon, 10 Jul 2006 09:30:34 +0100
On 7/10/06, David Robert <david31900 () rogers com> wrote:
Hello all, I've been reading this list for some time and I can't help but notice that there is a lot of information and discussion about securing systems, but very little about how to detect if you *are* compromised.
Yes, that's my impression too.
This one of my major concerns. I can advocate all kinds of practices and procedures, but eventually someone will get through. So how can I tell? Especially if they are trying not to leave traces? Is there a few very simple, dumb things that everyone should do in this regard? If so, then I haven't heard them. If you could list them, or point me to some good resources, it would be much appreciated.
I am somewhat biased, but I have long held a view that (depending on the importance of the systems being protected - you can't always justify the additional costs) one should have an independent auditing component in addition to all protective/preventive measures that are put in place. This is because I prefer detection to prevention and believe that, in a general case, you must accept that you will fail to protect your assets. Prevention works well for automated attacks (e.g. worms) but not so well for determined attackers going after your custom web application. In ideal circumstances the auditing component would record the entire traffic stream and keep it around for several months. If you can't afford to record everything then you should selectively log transactions and sessions based on a custom policy. With this setup you get alerts in real-time, warning you about potential attacks, but you are also able to perform thorough forensic analysis and go back in time (e.g. did anyone exploit this vulnerability in the past). Now, since this is a webappsec mailing list, my discussion relates only to HTTP. For a discussion of how to do the same for the lower network layers I recommend reading "The Tao of Network Security Monitoring" by Richard Bejtlich. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- DMZ and critical data Pedro Henrique Morsch Mazzoni (Jul 08)
- Re: DMZ and critical data 蓝牙 (Jul 09)
- RE: DMZ and critical data Brian J. Bartlett (Jul 09)
- Re: DMZ and critical data Mohammad Ali Sarbanha (Jul 09)
- Intrusion Detection David Robert (Jul 09)
- Re: Intrusion Detection Ivan Ristic (Jul 10)
- Re: Intrusion Detection Jamie Riden (Jul 10)
- Re: Intrusion Detection Daniel Cid (Jul 11)
- Re: Intrusion Detection David Ryan (Jul 12)
- Re: Intrusion Detection skarvin (Jul 12)
- <Possible follow-ups>
- Re: DMZ and critical data sarbanha (Jul 09)
- Message not available
- Re: DMZ and critical data Ken Adler - QDSP, CISSP, PMP, CISA (Jul 09)
- Message not available