WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion Detection

From: <Jeremy_Powell () sbcss k12 ca us>
Date: Mon, 10 Jul 2006 10:31:43 -0700
Post compromise detection, especially if the compromiser is employing root
kit type functionality can be almost impossible from the compromised system
itself as long as it is still running the compromised system software.
Frequently, you will have to boot from a forensics based system to assess the
state of a suspect system.  Determining that a system is suspect and in need
of such treatment is equally difficult, but frequently the compromiser will
use the compromised system to go after bigger fish or to distribute sotware
or run some unexpected server functionality.  Some tools we have found useful
in noticing computers doing both legitimate and illegitimate unexpected
things include:

1) Regular or automated log management and analysis
2) Flow capture and analysis such as with ipcad and the flow tools from
splintered.net
3) An internal Intrustion detection system is helpful in observing the spread
of compromise that either made it unnoticed into the organization or began
internally and was targetted internally.
4) Vulnerability scanners such as Nessus often turn up unexpected
functionality on a system that is either compromise, misconfiguration, or
ignorance.

Here are some URLs:

http://lionet.info/ipcad/
http://www.splintered.net/sw/flow-tools/
http://www.nessus.org
http://www.frozentech.com/content/livecd.php?pick=All&sort=&showonly=forensic
s

I know my list is decidely UN*X based you can find windows based tools as
well.

Jeremy Powell




-----Original Message-----
From: David Robert [mailto:david31900 () rogers com] 
Sent: Sunday, July 09, 2006 7:46 PM
To: webappsec () securityfocus com
Subject: Intrusion Detection

Hello all,

I've been reading this list for some time and I can't help 
but notice that there is a lot of information and discussion 
about securing systems, but very little about how to detect 
if you *are* compromised.

This one of my major concerns.  I can advocate all kinds of 
practices and procedures, but eventually someone will get 
through.  So how can I tell?
Especially if they are trying not to leave traces?

Is there a few very simple, dumb things that everyone should 
do in this regard?  If so, then I haven't heard them.  If you 
could list them, or point me to some good resources, it would 
be much appreciated.

Thanks,


--------------------------------------------------------------
-----------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the 
application using manual processes, or by using automated 
systems and tools. Watchfire's "Web Application Security: 
Automated Scanning or Manual Penetration Testing?" whitepaper 
examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70150

0000008Vmm

--------------------------------------------------------------
------------




-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: