RE: Security Central Consoles
David, A number of products on the market do what you're describing, NetForensics, E-Security, and of course neuSECURE (Marketing Plug). I would encourage you to take a look at my white paper, on the Guarded.Net website it talks about the different types of correlation and what is to come. If you would like, I'll be glad to send you my sides from this year's presentation at Black Hat (August 2002) on correlation. Matthew F. Caldwell, CISSP Chief Security Officer Guarded Net Inc. www.guarded.net -Original Message- From: Rivera Alonso, David [mailto:drivera;iberdrola.es] Sent: Thursday, October 24, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Security Central Consoles Dear friends, I'm working on a report about existing Central Consoles that can gather and centralize security information and alerts in a company network (IDS alerts, Firewall logs...). I mean, they are supposed to correlate all the events and signals and give exact alerts to the operator watching the console. Can you point me to the best products out there? Many thanks, DAVID
RE: Wireless LAN question
You can do what your trying to do but you might have to create some of your own code. For true directional finding (DF'ing) you would need a reciever and a doppler DF system that can recieve at 2.4ghz (aka the wireless card for the reciever). Netstumbler allows you to view client accesses. With the bearing information you obtain from the doppler DF system, you can then use the GPS coordinates you acquired while receiving the signal to triangulate the intruder. This would have to be intergrated into one system (aka linux) if you ask me to be in some sort of real-time fashion. Example Doppler http://www.silcom.com/~pelican2/MINI_CIRCUIT.html Matthew F. Caldwell, CISSP Chief Security Officer GuardedNet, Inc -Original Message- From: Beverstock, David [mailto:[EMAIL PROTECTED]] Sent: Mon 7/1/2002 9:59 AM To: 'David Laganière'; [EMAIL PROTECTED] Cc: Subject: RE: Wireless LAN question David, GPS is a passive device, it only listens for timing signals from satellites, it doesn't transmit. You are left with the wireless NIC, which does transmit. I know work has been done to roughly triangulate a cell phone users position based on signal strength received at 3-4 cell towers (I believe to fulfill upcoming 911 legislation). It seems to me you would need 3-4 access points, but could do the same thing with 802.11. But somehow I don't think this model translates well to the real world. I know with the Lucent/Agere Orinoco windows drivers there is a very nice signal strength indicator in the client manager (along with MAC addresses). You could get a directional 2.4 GHz antenna (http://www.andrew.com/catalog38/Results.aspx?SearchType=1KeyWord=KeyWordS earchMethod=BEGINWITHCatalogSectionID=17), and just turn it slowly and watch the signal increase and decrease (similar to what wildlife biologists do to track large mammals), and roughly locate the user that way. http://nocat.net/ might also be a solution for you to look at. Cheers, Dave -Original Message- From: David Laganière [mailto:[EMAIL PROTECTED]] Sent: Friday, June 28, 2002 10:05 AM To: [EMAIL PROTECTED] Subject: Wireless LAN question Hi! Say an intruder connect himself to my wireless LAN, is there a way with a GPS and it's signal to know where he is physically? Where can I get more documentation on that? Thanks. -- David Laganière Network/System Administrator www: http://www.securinet.qc.ca/ email: [EMAIL PROTECTED]
RE: Reacting to IDS alerts
My thought is that you don't want your IDS to do this type of analysis instead you do the analysis and response at a higher level (threat analysis/correlation) in order to be more accurate. The problem with current IDS responses to particular events is selectivity and the lack of filtering. By the reduction of false positives and prioritization of incidents at a higher level, you can create a better and more accurate response. GuardedNet has created an application that does this for you, and enables you to response via OPSEC and a number of other sources. It also maintains a whois database with latitude and longitude plot points so you can see where the attacks are coming from and a built in ticketing system for handling the incidents. Matthew F. Caldwell, CISSP Chief Security Officer GuardedNet, Inc -Original Message- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Wed 5/29/2002 6:32 PM To: Security-Basics List Cc: Subject: Re: Reacting to IDS alerts -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 29 May 2002, JM wrote: Basically, we are currently receiving an ever increasing number of intrusion attempts, (isn't everyone) and would like to automate a reaction to these attempts. I need a little clarification here: by intrusion attempts, do you mean portscans or actual attempts to breach a specific service (such as a Nimda attempt)? Putting a finer point on this will help me better answer your request. Firstly, I would like to inform the owner of the address space which the attack has come from that this is happening. Secondly, I would like to report this address space for permitting this activity. This is largely do-able since the core of a utility I wrote does precisely this. However, I've noted that there is a certain amount of data rot with which one must contend in the ARIN, APNIC and RIPE databases. This can be either incorrect or outdated netblock assignment information or bogus e-mail contact addresses. Basically the way I see it so far is to take the alerts that are generated by the IDS, in a mail format, using some sort of script from that alert, extract the source address, do a whois on that source address, then find the admin and technical contacts for that address space from the whois and mail them a copy of the alert(confidential data removed) along with a warning that the information has been passed to the relevant authorities. Early Bird does this, albeit its exclusive focus is on web-based worm attacks. You could probably adapt its code to suit your purpose. (http://www.treachery.net/earlybird/) Trouble is, who are the relevant authorities. And are they likely to take any action. Law enforcement agencies (LEAs) don't take e-mail notifications of intrusion attempts seriously. If they did, they'd be scrambling every which way 'til Sunday handling them...and they aren't. Even the FBI won't touch a network intrusion case (actual or attempted) unless there's at least $5,000 in confirmed losses or unless the aggrieved party has some massive political influence. For all they care, Usama bin Laden himself could be portscanning you to oblivion and they wouldn't so much as bother to open an case file on the incident. That's just the way the ball bounces. - -Jay (( ___ )) )) .---There's always time for a good cup of coffee---. --. C|~~|C|~~|(--- Jay D. Dyson -- [EMAIL PROTECTED] ---)|= |-' `--' `--' `-Because it is bitter...and because it is my heart.-' `--' -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE89VcFGI2IHblM+8ERApzCAKCXhvpgNa8MSpeK4KpFOqqrEigwIgCfVHoD DnVfrFqHA4v25x1MvDQyfAo= =0zaO -END PGP SIGNATURE-
RE: Good CP Log viewer
Depending on how you want to get the log data off, you can do it with a native conduit. For example Checkpoint uses OPSEC LEA API to allow you to move data. I would recommend using a product like my company offers that does log correlation and threat analysis. We interface with checkpoint via OPSEC which can be a secure communications protocol and the interface is web based so you can view the logs from anywhere. Matthew F. Caldwell, CISSP Chief Security Officer GuardedNet, Inc. http://www.guarded.net -Original Message- From: Dustin Howard [mailto:[EMAIL PROTECTED]] Sent: Mon 5/20/2002 6:42 PM To: [EMAIL PROTECTED] Cc: Subject: Good CP Log viewer Anyone know of a good 3rd party viewer to view CheckPoint FW-1 logs? I have a chron job every night to tar, then FTP my logs to a logging server. I want the capability to have a viewer to view the logs without using CPU and memory from the FW itself. Any thoughts?
RE: RE : Log Help
If you want a product that does consolidation and correlation , and anomily detection plus threat analysis take a look at our product called neuSECURE. It's the only threat analysis product on the market. Here is my previous email from the ids forum on the subject of threat analysis. -Original Message- From: Matthew F. Caldwell [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 5:00 PM To: Bobby, Paul; [EMAIL PROTECTED] Subject: RE: Threat Analysis - Papers, Studies, Software etc Paul, The issue you bring up is one that many of us are trying to reconcile. My position, and that of my company's, is that both correlation and statistical anomoly detection are merely pieces of a larger threat analysis process. Threat Analysis requires both a human element and an automated element. The automated aspect should start with correlated data (providing it is accurate), that is then analyzed using a number of other variables such as prioritization and validity of the threat, anomaly detection data (behavior etc), vulnerability information, perspective of the attack and a number of other variables that improve accuracy and completeness. Much of the confusion comes from vendors who imply that correlation (BUZZWORD) is threat analysis when that is really not the case. Correlation is simply the process of defining relationships between data sets and does not provide the prioritization that threat analysis does. It doesn't provide the information that an analyst needs to make good judgments. Vendor Hat - GuardedNet has created a product called neuSECURE that automates much of the Threat Analysis process and allows an analyst to get a comprehensive view of the company's security posture. The application was designed by 3 CISSP's (and GIAC's) with a sound background in security OP's. Matthew F. Caldwell,CISSP Chief Security Officer GuardedNet, Inc The home of neuSECURE. -Original Message- From: Nicolas Villatte [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 2:22 AM To: 'Matt'; [EMAIL PROTECTED] Subject: RE : Log Help NetIQ seems to be the product you are looking for, it allows consolidation an correlation of Windows NT/2k logs, Unix (Redhat and Solaris) syslogs, ISS Realsecure, Checkpoint Firewall-1 and even routers/switches. Best regards, Nicolas. -Message d'origine- De : Matt [mailto:[EMAIL PROTECTED]] Envoyé : mardi 14 mai 2002 20:25 À : [EMAIL PROTECTED] Objet : Log Help Hi Everyone I was wondering if there were some suggestions on utilities to monitor logs and if anyone has used them ? Im looking for a assistant to help me with my log reading. I know logs are important and that if I dont read them I am setting myself up for trouble in many ways Security wise or other wise. The problem I have is there is so darn many of them and being basically a lazy person I want to get the computer to help me sort them all and monitor them all. I hate having to hunt down logs scattered all over the place, and admittedly linux is tons better than other operating systems I have used, its still a pain for me. Can I scan my logs for keywords and have the bot email me if it picks up pre designated phrases or code words? Can I have a bot take predetermined actions based on log entries? I want to shift the burden a little bit onto the computer and give me more time to think rather than react Any help , thoughts, comments, suggestions is appreciated. Thanks Matt
RE: sam spade like software
If your looking for something like SAM SPADE but does it with all of your logs from firewalls to IDS's in realtime check out guarded.net we have a product that combines all those utilties plus alot more. The product is called neuSECURE. Matthew F. Caldwell, CISSP Chief Security Officer GuardedNet, Inc. http://www.guarded.net -Original Message- From: Will Munkara-Kerr [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 12, 2002 9:35 PM To: Security Basics (E-mail) Subject: sam spade like software While we're on the topic, Anyone know of sam spade like software on linux/*BSD platform? Thanks in advance, ./will will munkara-kerr ./ss will @ cs.nsw.gov.au ss1 @ hushmail.com Central Sydney Area HealthServices This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please destroy it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Central Sydney Area Health Service.
RE: Session Hijacking
Not necessarily true, compromise is a relative term in this case. For instance, any of the following could happen A. any router in between the two communicating hosts could be compromised B. routing protocol compromise that would allow sniffing of one way traffic (default route/rip/ospf/bgp,etc...) C. DNS cache poisoning that redirects the attack to another hosts allowing for MITM. Matthew F. Caldwell,CISSP [EMAIL PROTECTED] -Original Message- From: Muhammad Faisal Rauf Danka [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 6:03 PM To: Thad Horak; [EMAIL PROTECTED] Subject: Re: Session Hijacking Your fundamentals are right. attacker A has to compromise some host in host B's network in Ohio or at host C's network in Florida inorder to conduct MITM attack. Regards, - Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET Great is the Art of beginning, but Greater is the Art of ending. --BEGIN GEEK CODE BLOCK Version: 3.1 GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++ P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+ --END GEEK CODE BLOCK-- --- Thad Horak [EMAIL PROTECTED] wrote: All, A peer recently told me that the a network topology consisting of internal servers routing traffic through a firewall to the internet was a security hole since the session could either be hijacked or be hacked using a MITM technique. Example: Internal_server -- PIX NAT -- Internet partner I understand the fundamentals behind hijacking and MITM attacks, but it would seem to me that the only way that an attacker could pull of this type of an attack would be to compromise a host on the same switch/hub that the firewall is on. Is this this a correct assumption? Can attacker A in California hijack User B in Ohio shopping on Site C in Florida without compromising some key piece of equipment in between B and C first? My apologies for the long winded question. Thanks in advance for your insight. Thad __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- _ Run a small business? Then you need professional email like [EMAIL PROTECTED] from Everyone.net http://www.everyone.net?tag
RE: Political Challenges Using Nessus
-Original Message- From: tony toni [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 2:44 PM To: [EMAIL PROTECTED] Subject: Political Challenges Using Nessus Folks, I am currently experimenting with Nessus. I also have a spreadsheet of all IP addresses that our company uses (about 10,000) and it has a detailed description of each IP address. As you can appreciate a hacker would love to have this spreadsheet. My situation... I currently work in the Security Group and I *sort of* have approval to run Nessus to perform vulnerability assessments. This is a new responsibility that is being forced upon my director. He assigned me this project but has little interest in what I am doing, is a moron about security issues, and will be the first person to stab me in the back if anything goes wrong. However, he is also putting a lot of pressure on me to do the assessments and produce reports so he can look good to his VP. If he is pressuring you, pressure him for using the tool, tell him you can't produce without using the tool. If you don't have approval (get it in writing) don't do it. My next challenge is the Manager of the Server and Network Group. He is very territorial and is not responding to my requests for partnering with him while I run Nessus. He does not want audits done on his servers/firewall/routers. I think he is either afraid of what I will find out or I will cause some damage. He is also a moron on security issues. Don't Worry about this guy, let him keep his production attitude. Things will happen, you will hit that unpatched 1980's VAX system and it will crash. So be prepared to explain your testing methodology. Another reason for sign off from supervisor. My problem... I am not sure if I can trust either my Director or the Manger of Network/Servers if I start running Nessus. Both have a keen sense of corporate politics and only look out for themselves. My manager want results..but then he offers no support and will *nail* me hard if I make any mistakes. Don't make mistakes and CYA. I have been a *bad boy* of late and have been running Nessus on several production servers without telling anyone. Found lots of security weaknesses. None of the system admins are aware that I have run these tests (must not be looking at their logs). I want to continue running Nessus on switches, routers, firewalls and more servers. I want to really build a case for using Nessus and all of the security problems this company has. Yeah, welcome to security auditing : Stop running the scans on systems your not responsible for without signoff. This is my question... 1) What are the political risks I may come incur if I run Nessus without formal approval? In other words, running Nessus against any IP address I want and without telling anyone what I am doing? I am afraid that if I list the IP's I want to go against...I will run into a bunch of political road blocks. I want to impress everyone that I can successfully run Nessus and not hurt anything and everyone will say great job. On the other hand...this could back fire on me and I could get *nailed* for doing these audits in the *stealth* mode. Start small... it will be much easier to start small, and you will be able to fix the critical problems. First, test on non-critical systems then move on to the most critical to get larger impact. Your not doing an audit, your assessing vulnerabilities. people hate audits don't use that term. 2) From a technical viewpoint...can I run Nessus against a switch, router, firewall and not worry about bringing these devices down? Currently, I use the option disable all dangerous plug-insso I feel I using it safely. %2 OF THE systems might crash, I have see Cisco routers (running an old ios) be brought down by cybercop doing a portscan. Cybercop is a tool similar to nessus. I am sure that others on this list have had the same sort of political challenges. I am impatient...I hate politics ..I know I can pull this off. Problem is management is getting in my way. What is your answers to my questions? Tony Security Project Lead Major Financial Institution on West Coast Matthew F. Caldwell, CISSP Chief Security Officer GuardedNet, Inc. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
RE: IDS that retaliates.
It depends on your definition of Strike Back. Most IDS's on the market can actively reset TCP sessions when a signature matches some can launch firewall blocking these are non-offensive responses that are legal. However, I would caution against this type of activity due to high false positive rates. You could use, a higher level correlated/threat analyzed data that eliminates such false positives, such as neuSECURE : matt -Original Message- From: Ralph Los [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 2:47 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. I can't speak for too many options - but Secure Computing has a product that USED to do that, until it became illegal. (If I'm not mistaken, and I might be, SideWinder did something of the nature, or maybe the complemenatry IDS?) Cheers, | Ralph M. Los Sr. Security Consultant and Trainer EnterEdge Technology, L.L.C. [EMAIL PROTECTED] (770) 955-9899 x.206 | ::-Original Message- ::From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] ::Sent: Tuesday, March 05, 2002 12:23 PM ::To: [EMAIL PROTECTED]; [EMAIL PROTECTED] ::Subject: IDS that retaliates. :: :: :: :: ::Hi :: ::I read a long time ago that some goverment agency in the US ::was working on a IDS that could retaliate. I wonder if ::someone has any information on any IDS that does that, or any ::ideas on how to make an IDS that in return of an event ::triggers different securitymeasures. :: ::Thankfull for all replys. :: ::Regards ::Charles ::- ::Charles Skoglund, OM AB (Norrlandsgatan 31) ::SE-105 78 Stockholm ::Email: [EMAIL PROTECTED] ::Phone: +46 (0)8 405 64 90 ::Mobile: +46 (0)70 597 52 32 ::Switchboard: +46 (0)8 405 60 00 :: :: ::
RE: Legal problem - IDS - Commercial Vs Open Source.
Get cyber insurance to cover the other risk factors of intrusion. -Original Message- From: Edward L. Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 11:38 AM To: Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source. I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a Precedence and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]