Theres a nice nagios plugin to monitor new ports being opened using nagios. Tossing up a nagios instance to monitor the health of various services might not be a bad idea. With a little effort it can parse logs too, but splunk might be a better choice here.
Sent from my iPhone On Jul 28, 2009, at 11:45 AM, mOses <[email protected]> wrote: > For shame for Shame! > > There are definitely 'defensive tools' that are lacking in some of > the CTF games! The attackers are coming into this to 'win' how come > the defenders are not also preparing to win? > > - If you know your being attacked from the 'network', how come there > are no sensors involved? Maybe its a time contraint that we don't have > IDS? That is a real life item that should be given to defenders. IDS > an also do some TCP resets and shunning, which can be valuable. While > the attackers can evade IDS this maybe a nice little stop gap. The > question is, can you prepare ahead of time with an IDS sensor? The > 'attackers' are preparing ahead of time with their tools? > - Patching is an OK option, but yet again not 100% fool proof right, > Software will be insecure so you can't solely rely on patching. > > - Logging and Correlated Logs will be important to a blue team, but if > its not available even a basic BASE console will be enough for IDS > eventing, or maybe the free Splunk platform? > > - There are the SysInternal tools. Procmon, Filemon, Regmon. > ProcessExplorer, NetMon. > - What about things like GMER, Rootkit Revealer and other items to > look for the existence of nasties? > > - If you are a defender in a game, maybe it would be prudent to setup > tools like 'flow' analysis to look at netflow > - What about leveraging some scripts from NMAP. nmap scan the network > and do diff's. If you see new ports opened or listening, maybe you've > been comprimised! > > I love the conversation. The real value in these CTF games and > Pentests is not for the attacker all the time, the real value is in > understanding how to do 'live' defense. > > On Jul 28, 2009, at 8:54 AM, John Strand wrote: > >> Please! PSW land! Share your Blue Team tactics! >> >> What tools, scripts, and techniques do you use as part of Incident >> Response and Blue Team Activities? >> >> I have sat in on one to many Red/Blue/CTF games where the Red team >> gets Core, Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, >> Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various torture >> techniques (including IronGeek's rubber hoses) and the the Blue team >> gets.... >> >> "An un-patched Windows 2000 box and a slew of un-patched >> software!!!!!'' >> >> Please see the following video for reference: >> >> http://www.youtube.com/watch?v=Y77n--Af1qo >> >> Yea.. Thats right.... As of today the Blue Team is what you get >> assigned to when you are caught stuffing peas up your nose. >> >> This stops today!!! >> >> There are a few rules. Tricks and scripts must be able to run at >> the command line of your operating system of choice and all tools >> must be freeware or open source. >> >> Thats it!!! >> >> Look, the Blue Team can rock!!! So please share your tricks. >> >> I am going to collect and add to them so we have a solid list and >> this will serve as the playbook for the Blues going forward. >> >> Be expecting this on the PDC site soon. >> >> strandjs >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
