Nabble - IDS (Intrusion Detection System)

Replicating the Gonzalez Cyber Attacks through Penetration Testing

2009-11-20T16:07:11Z

--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.

Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* - showing you how to identify IT exposures in your own environment before cybercriminals do.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

During the webcast, you'll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:

* the initial web application compromise via SQL Injection
* the use of a well-known backend database command to make the attacks even
* more invasive
* the planting of malware on the backend database server
* the collection and transmission of credit card transactions to the
* attackers

Through the demonstration, you'll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by ...

* assessing how deployed defenses react to specific threats
* revealing what systems and data would be exposed by a breach
* depicting how chains of vulnerabilities open paths to mission-critical
* systems and information
* providing actionable data for immediately mitigating critical exposures
* repeating tests to ensure the effectiveness of remediation efforts

This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

CfP EWNI2010: 1st European Workshop on Internet Early Warning and Network Intelligence

2009-11-11T07:27:47Z

Hi all,

attached the CfP for the 1st European Workshop on Internet Early Warning and Network
Intelligence. If you have any questions please don't hesitate to contact me.

Regards -- Till
--
Dipl.-Inform. Till Dörges doerges@...

PRESENSE Technologies GmbH Sachsenstr. 5, D-20097 HH
Geschäftsführer/Managing Directors AG Hamburg, HRB 107844
Till Dörges Jürgen Sander Axel Theilmann

1st European Workshop on Internet
Early Warning and Network Intelligence
http://www.pre-sense.de/ewni2010

=======================================================================

CALL FOR PAPERS

EWNI 2010

1st European Workshop on Internet Early Warning and Network Intelligence

January 27, 2010

Hamburg, Germany

=======================================================================

INTRODUCTION
============

Threats in the Internet are numerous. They have to be dealt with at
many levels - ranking from firewalls or intrusion detection systems
(IDS) to measures with a broader or even global focus. Early Warning
Systems (EWS) are such broadly focused measures. EWS usually consist
of distributed sensors networks and some central analysis or
assessment facilities. The sensors collect raw data, e.g. statistics
about connections (NetFlows), malware samples, or IDS events. By means
of the centralized analysis facilities the "big picture" of what is
happening can be obtained. EWS is valuable to numerous roles and
entities. Be it larger organizations, governments, or Computer
Emergency Response Teams (CERT). All greatly benefit from EWS and the
resulting (global) network situational awareness when having to judge
the security of their own networks. The usefulness of EWS for
Critical Information Infrastructure Protection (CIIP) follows
directly from this. Only when many actors deliver pieces can the
puzzle be put together.

Thus, the need for collaboration has been - more or less -
accepted. However, large scale, collaborative detection efforts have
been difficult. EWS started addressing this a couple of years ago,
already. And while certain technical requirements (privacy, data
protection, ...) have been met, EWS still require a lot of research
efforts and improvements in order to keep up with the perpetuous arms
race between attackers and defenders.

TOPICS
======

The goal of this workshop is twofold: Evaluate the current state of
the art of EWS and explore both related and future research areas. On
an organizational level the workshop is intended to stimulate
collaborative efforts.

The program committee solicits submissions particularly from the
following areas but will carefully consider all contributions which
are sufficiently related to Early Warning and Network Intelligence:

- modeling EWS
- organizational and operational issues of EWS
- practical experiences
- international cooperation
- inter-organizational communication/cooperation
- interoperability
- next generation EWS
- distributed sensor networks
- data acquisition
- data aggregation/evaluation
- visualization
- data navigation/user interfaces
- infrastructural network security
- privacy and data protection in EWS
- management of large-scale EWS installations
- HCI aspects of EWS

IMPORTANT DATES
===============

Paper Submission 2009-12-01
Notification of Acceptance 2009-12-21
Workshop 2010-01-27

CONFERENCE PROGRAM
==================

Once compiled the conference program will be available at

http://www.pre-sense.de/ewni2010/

REGISTRATION AND FEES
=====================

Registration will (soon) be possible at

http://www.pre-sense.de/ewni2010/

The registrations fees are as follows:

200,- EUR (normal)
100,- EUR (discount for FIRST/TI members)
50,- EUR (student discount)
0,- EUR (for speakers)

PROGRAM COMMITTEE
=================

The program committee members are

Carol Overes (GOVCERT.NL)
Ferenc Suba (CERT-Hungary)
Klaus-Peter Kossakowski (PRESECURE Consulting GmbH)
Marco ThorbrÃ¼gge (ENISA)
Peter Haag (SWITCH-CERT)
Piotr Kijewski (CERT POLSKA)
Till DÃ¶rges (PRESENSE Technologies GmbH)

SUPPORT AND SUCH
================

EWNI2010 is organized by PRESENSE Technologies GmbH.

EWNI2010 is supported by ENISA.

EWNI2010 is collocated with the joint FIRST/TF-CSIRT event in January 2010.

CONTACT INFORMATION
===================

You can reach the organizers at

ewni2010@...

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

2009-10-31T09:31:32Z

Although this also does not meet the PCI requirement, one thing you can do
to rapidly detect transient wireless access points is this:

1. Make sure your network default route leads to your firewall.
2. Monitor the firewall for internal devices trying to do NTP (time sync)
lookups.

This presumes you have an internal time server system and you have properly
configured your internal systems to not go to the Internet for time.

It works because home wireless access points are usually set up by default
to perform time synchronization. As soons as someone plugs one in, it will
light up the firewall logs. Efforts like this also presume your company is
not into checkbox compliance and is truly concerned about the security of
their network.

Brian, where do you find guidance like this? I just can't seem to find it
anywhere on the PCI web site.

Thanks,

Ray

<brian_klumpp@...> wrote in message
news:20091029174027.23311.qmail@......
I realize this thread is a little old, but I did want to make a comment in
regards to this. As a QSA, *wired* side scanning alone would be
insufficient to meet the intent of the PCI DSS 11.1 requirement. There is
this quote from PCI Council:

"Relying on wired side scanning tools (e.g. tools that scan suspicious
hardware MAC addresses on switches) may identify some unauthorized wireless
devices; however, they tend to have high false positive/negative detection
rates. Wired network scanning tools that scan for wireless devices often
miss cleverly hidden and disguised rogue wireless devices or devices that
are connected to isolated network segments. Wired scanning also fails to
detect many instances of rogue wireless clients. A rogue wireless client is
any device that has a wireless interface that is not intended to be present
in the environment."

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort?

2009-10-29T10:40:27Z

I realize this thread is a little old, but I did want to make a comment in regards to this. As a QSA, *wired* side scanning alone would be insufficient to meet the intent of the PCI DSS 11.1 requirement. There is this quote from PCI Council:

"Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify some unauthorized wireless devices; however, they tend to have high false positive/negative detection rates. Wired network scanning tools that scan for wireless devices often miss cleverly hidden and disguised rogue wireless devices or devices that are connected to isolated network segments. Wired scanning also fails to detect many instances of rogue wireless clients. A rogue wireless client is any device that has a wireless interface that is not intended to be present in the environment."

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Announcing pcapr Trends

2009-10-01T09:07:05Z

With the recent influx of pcaps, the number of protocols and pcaps are
getting to the point where interesting trend analysis makes sense. So
we set out to find the meaning of it all with multi-dimensional data
visualization using Motion Charts.

We wanted to find out
- How does the coverage and #pcaps for a given protocol trend over time?
- When was a protocol first introduced into pcapr?
- What is 42 and what does it have to do with packet captures?

You can read about this more in our blog http://bit.ly/PhjoT and
explore pcapr Trends: http://www.pcapr.net/trends

Thanks,
The Pcapr Team
http://www.pcapr.net/
http://labs.mudynamics.com/
http://twitter.com/pcapr

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

A new network security book on a New Host-based Hybrid IDS Architecture

2009-09-26T11:54:18Z

In this IDS research book the author is proposing a new host-based hybrid IDS architecture. I believe it will be very useful, interesting and inspiring for anyone who is performing research or is just interested in IDS, network security, information security, machine learning, neural networks, pattern recognition, and data mining. This book provides a lot of innovative ideas especially for students who are preparing thesis and dissertations and for researchers.

BOOK DESCRIPTION
In a world where our every day life depends on what is going on in the gap between stimulus and reaction, Intruders could make the decision for you. Unless they are detected on time! Network security has been an issue since computers have been networked together. Lots of vulnerabilities, risks and threats came to the scene. An important security product that has emerged is Intrusion Detection Systems (IDS). The author proposes a new Host-Based Hybrid Intrusion Detection System. The Intrusion Detection Analyzer Module consists of two analyzers that work in a hybrid architecture: Anomaly Detection Analyzer and Misuse Detection Analyzer. This way, the Anomaly Detection Analyzer is trained with attack-free session data and normal behaviour is learnt so it raises an alarm when it detects a deviation from this normal behaviour. Self Organizing Map, an unsupervised machine learning algorithm, is used. The Misuse Detection Analyzer uses a C4.5 Decision Tree. Finally, Decision Making Module decides whether the session is normal or an attack. The proposed hybrid architecture works very accurately. It is an essential book. Any professional can benefit from such a lecture.

ABOUT THE AUTHOR
Murat Topallar was born in Turkey in 1978. He gained MSc. degree in Electrical and Electronics Engineering at Bogazici Univ., Turkey in 2004. He published a number of papers on network security, IDS and machine learning. Passionate of research, Topallar developed a new Host-Based Hybrid IDS Architecture. Today he is in telecom business.

http://www.amazon.de/New-Host-Based-Hybrid-IDS-Architecture/dp/3639172884/ref=sr_1_1?ie=UTF8&qid=1252096884&sr=8-1

CDX dataset and labeling

2009-09-22T21:11:59Z

The CDX dataset is available at http://www.itoc.usma.edu/research/dataset/
The paper describing the generation of labeled dataset is available
here: http://www.usenix.org/event/cset09/tech/full_papers/sangster.pdf

As a user of this dataset, how do I get labeling information.
The detailed network diagram is also available at
http://www.itoc.usma.edu/research/dataset/logs/CDX_2009_Network_USMA.pdf

Attack labeling based on ip address: [?]
The IP addresses of the Red Team (the bad guys) is known ahead of
time. But the red team also
generates benign traffic. In addition, after taking over some of the
good machines, red team
can use those ip addresses to attack.

Unless the user digs deep and analyze the traffic in detail is it
possible to know
which sessions/packets are good / bad?
Otherwise what does labeled data mean?

Thanks for any clarification -

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Defcon 17 CTF pcaps

2009-09-14T18:50:51Z

Usually these captures (like Defcon and CTF's) are created to let you
see and figure out what happened yourself. You could probably
specifically pinpoint things in a CTF pcap(s) by knowing/watching a
CTF session.

On Sat, Sep 12, 2009 at 2:22 PM, snort user <snort.user@...> wrote:

> Has anyone analyzed these captures or know the details someother way -
> Does CTF traffic only have attack traffic or does it contain benign
> traffic as well?
> In a CTF contest environment I am expecting that all the machines would be
> trying to attack some machine and capture the goal.
> If there is benign traffic, what is that for?
> Any details is much appreciated.
>
> Thanks
>
>
> On Thu, Sep 10, 2009 at 5:27 PM, kowsik <kowsik@...> wrote:
>> 7GB and 25 million packets of defcon 17 ctf pcaps now on
>> http://www.pcapr.net/forensics.
>>
>> Enjoy,
>>
>> K.
>> ---
>> http://labs.mudynamics.com
>> http://twitter.com/pcapr
>>
>> -----------------------------------------------------------------
>> Securing Your Online Data Transfer with SSL.
>> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
>> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>>
>>
>>
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>

--
Your obedient servant,
Thomas Jaynes(tj)
"A strong body makes the mind strong. As to the species of exercises,
I advise the gun. While this gives moderate exercise to the body, it
gives boldness, enterprise and independence to the mind. Games played
with the ball, and others of that nature, are too violent for the body
and stamp no character on the mind. Let your gun therefore be your
constant companion of your walks."
--- Thomas Jefferson to Peter Carr, 1785.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Internet traffic dataset

2009-09-13T04:22:28Z

You've got two things working against you here:

1. Organizations generally won't make even "sanitized" packet captures
of that size available to the public
2. Generic "internet traffic" is actually communications involving
human beings that are protected by a number of privacy laws (protected
from you and me anyway)

Unless you have the capability to do the capture yourself you may be
out of luck.

Steve Mullins

On Sat, Sep 12, 2009 at 1:43 AM, snort user <snort.user@...> wrote:

> Hello
>
> Does anyone know if there is a collection of internet traffic datasets anywhere?
>
> http://www.pcapr.net/ has a good collection but the largest dataset is
> only 1000+ packets
> and I am looking for a much larger dataset, say 1-10 million packets.
>
> Also, I am looking for datasets from internet rather than Defcon or other CTF.
>
> Any information is much appreciated!
>
>
> Thanks
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Internet traffic dataset

2009-09-12T14:31:50Z

Best list of publicly available pcap files that I know of is here:
http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Publicly_available_PCAP_files

He updates it whenever someone provides any new sites. Though most
publicly available stuff is still CTF/Defcon type stuff.

The ITOC one is about 9 GB of data, but it does not have internet traffic.

On Fri, Sep 11, 2009 at 11:43 PM, snort user <snort.user@...> wrote:

>
> Hello
>
> Does anyone know if there is a collection of internet traffic datasets anywhere?
>
> http://www.pcapr.net/ has a good collection but the largest dataset is
> only 1000+ packets
> and I am looking for a much larger dataset, say 1-10 million packets.
>
> Also, I am looking for datasets from internet rather than Defcon or other CTF.
>
> Any information is much appreciated!
>
>
> Thanks
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>

Re: Internet traffic dataset

2009-09-12T12:53:04Z

look at one entry before yours, "Defcon 17 CTF pcaps" a few hours ago, HTH:

http://www.securityfocus.com/archive/96/506417/30/0/threaded

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Defcon 17 CTF pcaps

2009-09-12T11:22:49Z

Has anyone analyzed these captures or know the details someother way -
Does CTF traffic only have attack traffic or does it contain benign
traffic as well?
In a CTF contest environment I am expecting that all the machines would be
trying to attack some machine and capture the goal.
If there is benign traffic, what is that for?
Any details is much appreciated.

Thanks

On Thu, Sep 10, 2009 at 5:27 PM, kowsik <kowsik@...> wrote:

> 7GB and 25 million packets of defcon 17 ctf pcaps now on
> http://www.pcapr.net/forensics.
>
> Enjoy,
>
> K.
> ---
> http://labs.mudynamics.com
> http://twitter.com/pcapr
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>

Internet traffic dataset

2009-09-11T22:43:44Z

Hello

Does anyone know if there is a collection of internet traffic datasets anywhere?

http://www.pcapr.net/ has a good collection but the largest dataset is
only 1000+ packets
and I am looking for a much larger dataset, say 1-10 million packets.

Also, I am looking for datasets from internet rather than Defcon or other CTF.

Any information is much appreciated!

Thanks

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: How to evaluate an IPS/IDS product

2009-09-11T08:42:42Z

I wrote two white papers which may be of help:

Steps to Picking the Right IPS for Your Company
http://www.opus1.com/www/whitepapers/ips-eval.pdf

and

Seven Requirements for Enterprise IPS Products
http://www.opus1.com/www/whitepapers/enterpriseips.pdf

jms

Kai wrote:

> Hi guys,
>
> Our company has a plan to implement an IPS/IDS solution for entire
> system. I 've got some solutions from different vendors. It's really
> hard to decide which is the suitable solution. So, I want to ask a
> question: what are the aspects which are considered when we evaluate a
> IPS/IDS product.
>
> Besides, our distributor has a test device for us to deploy in a test
> environment. They will also provide some scenarios to check this
> product's capabilities in order to prevent some kind of attacks. But,
> I think I need to build my own some scenarios to test separately with
> seller. Please give me some extra ideas/advices how to build my own
> scenarios and a must do checklist to test this product completely.
>
> --
> Best regards,
>
> Phạm Tùng Dương
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms@... http://www.opus1.com/jms

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

How to evaluate an IPS/IDS product

2009-09-11T01:27:47Z

Hi guys,

Our company has a plan to implement an IPS/IDS solution for entire
system. I 've got some solutions from different vendors. It's really
hard to decide which is the suitable solution. So, I want to ask a
question: what are the aspects which are considered when we evaluate a
IPS/IDS product.

Besides, our distributor has a test device for us to deploy in a test
environment. They will also provide some scenarios to check this
product's capabilities in order to prevent some kind of attacks. But,
I think I need to build my own some scenarios to test separately with
seller. Please give me some extra ideas/advices how to build my own
scenarios and a must do checklist to test this product completely.

--
Best regards,

Phạm Tùng Dương

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Defcon 17 CTF pcaps

2009-09-10T14:27:47Z

7GB and 25 million packets of defcon 17 ctf pcaps now on
http://www.pcapr.net/forensics.

Enjoy,

K.
---
http://labs.mudynamics.com
http://twitter.com/pcapr

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation

2009-08-31T23:59:23Z

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.
This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs.

Workshop Program

Session 1: Log Analysis Tools
- "Extracting Message Types from BlueGene/L's Logs", A. Makanju, A.
Zincir-Heywood, and E. Milios
- "Incremental Learning of System Log Formats", K. Zhu, K. Fisher,
and D. Walker
- "Visual and Algorithmic Tooling for System Trace Analysis: A Case
Study", W. De Pauw and S. Heisig

Session 2: Analyzing System Logs
- "Mining Dependency in Distributed Systems through Unstructured
Logs Analysis", J. Lou, Q. Fu, Y. Wang, and J. Li
- "A Bayesian Network Approach to Modeling IT Service Availability
using System Logs", R. Zhang, E. Cope, L. Huesler, and F. Cheng
- "Endpoint Identification Using System Logs", S. Melvin

Session 3: Group Discussion on Current State of the Art
- Tips and tricks in current use.
- Gaps and challenges in current techniques.
- Vision and steps for the future.

Session 4: Panel on Future Research Agenda
- What are the most difficult problems with logging, in the real world?
- How to make academia-industry interactions more productive?
- How to extract meaningful information from logs?
- How to improve system management?

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University
Risto Vaarandi, CCD CoE
Jim Jansen, Penn State University
Wei Xu, University of California, Berkeley
Anton Chuvakin, Qualys
Kara Nance, University of Alaska, Fairbanks
Raffael Marty, PixlCloud

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

RE: Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-28T10:42:02Z

I guess the question you are pondering on whether to send dynamic data
connection traffic (RTP in case of SIP, L2TP data connections) to IPS
for inspection.

I would say YES. I don't have the list, but as recent as June/July of
this year, I saw vulnerability disclosures in some RTP implementations.

Thanks
Srini

+++++++++++++++++++++++++++++++
Srinivasa Rao Addepalli
Chief Software Architect
Software Products Division
Freescale Semiconductor Inc.

Ph: 408-904-2761
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Bikram Gupta
Sent: Thursday, August 27, 2009 4:27 AM
To: focus-ids@...
Subject: Re: Excluding the bulk of UDP from IPS processing - What's the
impact?

Thank you all, for the response. I'm new to IPS, and so let me put my
understanding in a simple flow.

- Packet switching is not the bottleneck for my case, state
maintenance is. So I'm trying to reduce the # of states here - without
any sacrifice in security capabilities. If that's not possible, I want
to know.
- I've tuned the perimeter IPS policies to enable asset specific
protection (TCP/UDP/IP, HTTP, DNS, SIP, NFS, L2TP) - for example.
- Next, what I do is to bypass all UDP traffic (except ports for DNS,
SIP signalling, NFS, and L2TP connection setup port, and worms/bots
traffic ports) from IPS engine.

What can go wrong? My thinking is as follows:
1) the IPS is not configured to protect any other traffic - besides
dns, sip, nfs, l2tp setup)
2) The IPS capability is in detecting attacks being carried in
signalling/connection setup. Maybe wrong, this is how I thought.
(2a) SIP, for example. All the SIP signatures are inspecting the
signaling traffic directed to SIP server. Once the connection is
established, the RTP channel is voice traffic. And the processing
involved at the endpoint is mere voice/data encoding. So the scope of
attack on RTP channel is less.
(2b) L2TP for example. The connection setup is directed to a fixed
port of L2TP server, which then chooses a random port for data
transfer. Once the data transfer begins, the end host is part of
network and IPS (sitting before L2TP) cannot do much. So we place an
IPS just after L2TP server in the network.

Assuming I can configure my network traffic to allow only a set of
fixed UDP ports (sip, dns, l2tp etc) into IPS engine for inspection,
what can be the damage from security standpoint?

Thanks a lot.

Bikram

On 8/27/09, Addepalli Srini-B22160 <saddepalli@...> wrote:
> I imagine that you want to reduce the load on IPS.
>
> If you are looking to protect any UDP Servers such as IKE, NFS, SIP,
> L2TP etc.., it is typically expected that IPS inspects the traffic of
> UDP sessions that were initiated by un-trusted machines. Since many
IPS
> devices are stateful in nature, it is necessary to send packets from
> both client-to-server and server-to-client of these sessions to IPS
> devices. That is, I don't think sending the Out-to-in traffic alone is
> not good enough due to statefulness of IPS devices. If IPS device is
> inline with the firewall, then I guess it is not a problem as it gets
> hold of all packets anyway. But, if it offline IPS device, then
firewall

> should have intelligence to pass traffic of these sessions to IPS
> device.
>
> Thanks
> Srini
>
>
>
> +++++++++++++++++++++++++++++++
> Srinivasa Rao Addepalli
> Chief Software Architect
> Software Products Division
> Freescale Semiconductor Inc.
>
> Ph: 408-904-2761
> -----Original Message-----
> From: listbounce@...

[mailto:listbounce@...]
> On Behalf Of Bikram Gupta
> Sent: Wednesday, August 26, 2009 5:17 AM
> To: focus-ids@...
> Subject: Excluding the bulk of UDP from IPS processing - What's the
> impact?
>
> Scenario: Perimeter IPS deployment, with Stateful firewall at the
egress

> point.
>
> Traffic from out to in: Firewall will block all unsolicited UDP ports.
> For the UDP ports where traffic is allowed (RTP data etc) through
> firewall, do I have to pass it though IPS engine? Will there be cases
> of exploits in such cases? Some examples please.
>
> Traffic from in to out: I believe IPS processing for UDP flows must be
> enabled here.. to detect some of the p2p, IM, skype, trojan etc
> traffic.
>
> I am trying to understand the impact, if I bypass the UDP flows from
> IPS device? Can this be done realistically for some UDP traffic
> (in->out, out->in), or NONE?
>
> Thanks a lot.
>
> Bikram
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server,

you
> can securely collect sensitive information online, and increase
business
> by giving your customers confidence that their transactions are safe.
>
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
> 17f194
>
>
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-27T04:26:33Z

Thank you all, for the response. I'm new to IPS, and so let me put my
understanding in a simple flow.

- Packet switching is not the bottleneck for my case, state
maintenance is. So I'm trying to reduce the # of states here - without
any sacrifice in security capabilities. If that's not possible, I want
to know.
- I've tuned the perimeter IPS policies to enable asset specific
protection (TCP/UDP/IP, HTTP, DNS, SIP, NFS, L2TP) - for example.
- Next, what I do is to bypass all UDP traffic (except ports for DNS,
SIP signalling, NFS, and L2TP connection setup port, and worms/bots
traffic ports) from IPS engine.

What can go wrong? My thinking is as follows:
1) the IPS is not configured to protect any other traffic - besides
dns, sip, nfs, l2tp setup)
2) The IPS capability is in detecting attacks being carried in
signalling/connection setup. Maybe wrong, this is how I thought.
(2a) SIP, for example. All the SIP signatures are inspecting the
signaling traffic directed to SIP server. Once the connection is
established, the RTP channel is voice traffic. And the processing
involved at the endpoint is mere voice/data encoding. So the scope of
attack on RTP channel is less.
(2b) L2TP for example. The connection setup is directed to a fixed
port of L2TP server, which then chooses a random port for data
transfer. Once the data transfer begins, the end host is part of
network and IPS (sitting before L2TP) cannot do much. So we place an
IPS just after L2TP server in the network.

Assuming I can configure my network traffic to allow only a set of
fixed UDP ports (sip, dns, l2tp etc) into IPS engine for inspection,
what can be the damage from security standpoint?

Thanks a lot.

Bikram

On 8/27/09, Addepalli Srini-B22160 <saddepalli@...> wrote:

> I imagine that you want to reduce the load on IPS.
>
> If you are looking to protect any UDP Servers such as IKE, NFS, SIP,
> L2TP etc.., it is typically expected that IPS inspects the traffic of
> UDP sessions that were initiated by un-trusted machines. Since many IPS
> devices are stateful in nature, it is necessary to send packets from
> both client-to-server and server-to-client of these sessions to IPS
> devices. That is, I don't think sending the Out-to-in traffic alone is
> not good enough due to statefulness of IPS devices. If IPS device is
> inline with the firewall, then I guess it is not a problem as it gets
> hold of all packets anyway. But, if it offline IPS device, then firewall
> should have intelligence to pass traffic of these sessions to IPS
> device.
>
> Thanks
> Srini
>
>
>
> +++++++++++++++++++++++++++++++
> Srinivasa Rao Addepalli
> Chief Software Architect
> Software Products Division
> Freescale Semiconductor Inc.
>
> Ph: 408-904-2761
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of Bikram Gupta
> Sent: Wednesday, August 26, 2009 5:17 AM
> To: focus-ids@...
> Subject: Excluding the bulk of UDP from IPS processing - What's the
> impact?
>
> Scenario: Perimeter IPS deployment, with Stateful firewall at the egress
> point.
>
> Traffic from out to in: Firewall will block all unsolicited UDP ports.
> For the UDP ports where traffic is allowed (RTP data etc) through
> firewall, do I have to pass it though IPS engine? Will there be cases
> of exploits in such cases? Some examples please.
>
> Traffic from in to out: I believe IPS processing for UDP flows must be
> enabled here.. to detect some of the p2p, IM, skype, trojan etc
> traffic.
>
> I am trying to understand the impact, if I bypass the UDP flows from
> IPS device? Can this be done realistically for some UDP traffic
> (in->out, out->in), or NONE?
>
> Thanks a lot.
>
> Bikram
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
> application. By making use of an SSL certificate on your web server, you
> can securely collect sensitive information online, and increase business
> by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
> 17f194
>
>
>
>

Re: Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-26T14:39:35Z

Jamie Riden wrote:
> 2009/8/26 Bikram Gupta <bikramkgupta@...>:
>> Scenario: Perimeter IPS deployment, with Stateful firewall at the egress point.
>>
>> Traffic from out to in: Firewall will block all unsolicited UDP ports.
>> For the UDP ports where traffic is allowed (RTP data etc) through
>> firewall, do I have to pass it though IPS engine? Will there be cases
>> of exploits in such cases? Some examples please.

sip is a big source of udp ips rules.

>> Traffic from in to out: I believe IPS processing for UDP flows must be
>> enabled here.. to detect some of the p2p, IM, skype, trojan etc
>> traffic.
>>
>> I am trying to understand the impact, if I bypass the UDP flows from
>> IPS device? Can this be done realistically for some UDP traffic
>> (in->out, out->in), or NONE?
>>
>> Thanks a lot.
>>
>> Bikram
>
> Slammer was UDP. Witty was UDP.
> http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)
> http://en.wikipedia.org/wiki/Witty_(computer_worm)
>
> RTP is complex enough that I wouldn't be surprised at a few parser
> bugs popping up at some point.
>
> I'd rather get a higher-powered IPS than not looking at UDP, but it
> depends on your cost/benefit analysis.
>
> cheers,
> Jamie
>

RE: Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-26T13:06:51Z

I imagine that you want to reduce the load on IPS.

If you are looking to protect any UDP Servers such as IKE, NFS, SIP,
L2TP etc.., it is typically expected that IPS inspects the traffic of
UDP sessions that were initiated by un-trusted machines. Since many IPS
devices are stateful in nature, it is necessary to send packets from
both client-to-server and server-to-client of these sessions to IPS
devices. That is, I don't think sending the Out-to-in traffic alone is
not good enough due to statefulness of IPS devices. If IPS device is
inline with the firewall, then I guess it is not a problem as it gets
hold of all packets anyway. But, if it offline IPS device, then firewall
should have intelligence to pass traffic of these sessions to IPS
device.

Thanks
Srini

+++++++++++++++++++++++++++++++
Srinivasa Rao Addepalli
Chief Software Architect
Software Products Division
Freescale Semiconductor Inc.

Ph: 408-904-2761
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Bikram Gupta
Sent: Wednesday, August 26, 2009 5:17 AM
To: focus-ids@...
Subject: Excluding the bulk of UDP from IPS processing - What's the
impact?

Scenario: Perimeter IPS deployment, with Stateful firewall at the egress
point.

Traffic from out to in: Firewall will block all unsolicited UDP ports.
For the UDP ports where traffic is allowed (RTP data etc) through
firewall, do I have to pass it though IPS engine? Will there be cases
of exploits in such cases? Some examples please.

Traffic from in to out: I believe IPS processing for UDP flows must be
enabled here.. to detect some of the p2p, IM, skype, trojan etc
traffic.

I am trying to understand the impact, if I bypass the UDP flows from
IPS device? Can this be done realistically for some UDP traffic
(in->out, out->in), or NONE?

Thanks a lot.

Bikram

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-26T12:18:33Z

2009/8/26 Bikram Gupta <bikramkgupta@...>:

> Scenario: Perimeter IPS deployment, with Stateful firewall at the egress point.
>
> Traffic from out to in: Firewall will block all unsolicited UDP ports.
> For the UDP ports where traffic is allowed (RTP data etc) through
> firewall, do I have to pass it though IPS engine? Will there be cases
> of exploits in such cases? Some examples please.
>
> Traffic from in to out: I believe IPS processing for UDP flows must be
> enabled here.. to detect some of the p2p, IM, skype, trojan etc
> traffic.
>
> I am trying to understand the impact, if I bypass the UDP flows from
> IPS device? Can this be done realistically for some UDP traffic
> (in->out, out->in), or NONE?
>
> Thanks a lot.
>
> Bikram

Slammer was UDP. Witty was UDP.
http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)
http://en.wikipedia.org/wiki/Witty_(computer_worm)

RTP is complex enough that I wouldn't be surprised at a few parser
bugs popping up at some point.

I'd rather get a higher-powered IPS than not looking at UDP, but it
depends on your cost/benefit analysis.

cheers,
Jamie

--
Jamie Riden / jamesr@... / jamie@...
http://www.ukhoneynet.org/members/jamie/

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Excluding the bulk of UDP from IPS processing - What's the impact?

2009-08-26T05:16:47Z

Scenario: Perimeter IPS deployment, with Stateful firewall at the egress point.

Traffic from out to in: Firewall will block all unsolicited UDP ports.
For the UDP ports where traffic is allowed (RTP data etc) through
firewall, do I have to pass it though IPS engine? Will there be cases
of exploits in such cases? Some examples please.

Traffic from in to out: I believe IPS processing for UDP flows must be
enabled here.. to detect some of the p2p, IM, skype, trojan etc
traffic.

I am trying to understand the impact, if I bypass the UDP flows from
IPS device? Can this be done realistically for some UDP traffic
(in->out, out->in), or NONE?

Thanks a lot.

Bikram

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Reputation based IPS/IDS - Cisco's tested

2009-08-24T09:36:51Z

Wanted to add something to the discussion as well.

We performed an experiment based on email reputation as a part of our
research efforts (http://isr.uncc.edu/repuscore for the results).
After a few months, we noticed a brute-force attack on the website.

Based on the email reputation computed we could identify a small
fraction of IP addresses from which the attack occurred (both good and
bad: which is the good part of email reputation). RBLs were a
little-bit more accurate for bad IP addresses; but it was still a
smaller fraction than what I had expected to see. A large percentage
of the attacks come from IP addresses we have no information about.

I believe, the correlation would help in creating two groups of
alerts: 1. the alerts we know reputation about and 2. might be to use
reputation to identify those we know and those we do not know about.
Clearly, correlating with reputation without properly presenting this
information to the user might not be sufficient.
---
Gautam Singaraju

On Sat, Aug 22, 2009 at 1:34 PM, Frank Knobbe<frank@...> wrote:

> On Tue, 2009-08-11 at 17:49 +0200, Joel Snyder wrote:
>> Some of you may remember our discussion back in November, 2008 about
>> using reputation services in IPS. (search for subject line "Email
>> reputation for inout to IDSs?" if you want to read it).
>
>
> From the article:
> "This basic use of reputation filters isn't new, but what's interesting
> is that Cisco will use this reputation data to change the Risk Rating of
> security events identified by the IPS. In other words, an event linked
> to a 'bad' IP address will result in an even higher Risk Rating."
>
>
> Isn't this backwards? The risk to a system of an attack coming from an
> known attacker compared to an unknown attacker is the same. Matter the
> fact, I'd like to argue the opposite. Since the known attacker has
> already been identified (and can be blocked), the Risk Rating of the
> alert for that address should be lower. Unknown attackers should receive
> a high Risk Rating so they stand out and can be addressed first (like
> that laptop in the article's example).
>
> Now, I understand that the *assurance* of the alert is higher, since the
> attacker has already been verified as hostile, so the likelihood of a
> false positive from that address is lower. But I think classifying the
> known attackers as high risk so the user focuses on those first is a
> misguided step in the wrong direction. I can already envision the
> evasion scenario: Flood your target with SQL injections attacks through
> known open proxies (so they receive a high Risk Rating), and slip in the
> real attack from an unknown IP (classified now as ... not-so-high risk).
> Which would you be more concerned about?
>
> IP intelligence within the IDS console is of course of great benefit.
> (we've been doing this for years. Then again, we've been using IP
> reputation and blocking known evil IP's in a distributed fashion for
> years as well...). Any IP intel for the analyst in the console is a good
> thing. I'm just not sure that *interpreting* that IP intel on behalf of
> the analyst is the right thing to do.
>
> Thoughts?
>
> Regards,
> Frank
>
>
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>

Collaborative Network Forensics

2009-08-23T15:03:20Z

We took the recently published ITOC dataset and the CCTF captures from
Shmoo group (total of 15.0 GBytes, 26.3 million packets), indexed them
to enable contextual search and instant access to packets, not to
mention HN/Twitter-style one-liners attached to packets and searches
for a community oriented forensics application.

http://bit.ly/12I62D for the blog and
http://www.pcapr.net/forensics for the app

Enjoy,

K.
---
http://labs.mudynamics.com
http://twitter.com/pcapr

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Reputation based IPS/IDS - Cisco's tested

2009-08-22T10:34:58Z

On Tue, 2009-08-11 at 17:49 +0200, Joel Snyder wrote:
> Some of you may remember our discussion back in November, 2008 about
> using reputation services in IPS. (search for subject line "Email
> reputation for inout to IDSs?" if you want to read it).

From the article:
"This basic use of reputation filters isn't new, but what's interesting
is that Cisco will use this reputation data to change the Risk Rating of
security events identified by the IPS. In other words, an event linked
to a 'bad' IP address will result in an even higher Risk Rating."

Isn't this backwards? The risk to a system of an attack coming from an
known attacker compared to an unknown attacker is the same. Matter the
fact, I'd like to argue the opposite. Since the known attacker has
already been identified (and can be blocked), the Risk Rating of the
alert for that address should be lower. Unknown attackers should receive
a high Risk Rating so they stand out and can be addressed first (like
that laptop in the article's example).

Now, I understand that the *assurance* of the alert is higher, since the
attacker has already been verified as hostile, so the likelihood of a
false positive from that address is lower. But I think classifying the
known attackers as high risk so the user focuses on those first is a
misguided step in the wrong direction. I can already envision the
evasion scenario: Flood your target with SQL injections attacks through
known open proxies (so they receive a high Risk Rating), and slip in the
real attack from an unknown IP (classified now as ... not-so-high risk).
Which would you be more concerned about?

IP intelligence within the IDS console is of course of great benefit.
(we've been doing this for years. Then again, we've been using IP
reputation and blocking known evil IP's in a distributed fashion for
years as well...). Any IP intel for the analyst in the console is a good
thing. I'm just not sure that *interpreting* that IP intel on behalf of
the analyst is the right thing to do.

Thoughts?

Regards,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

signature.asc (195 bytes) Download Attachment

So long and thanks a bunch!

2009-08-15T14:28:18Z

Pen-Test and Focus-IDS readers,

I wanted to send a quick note to those of you on these two lists who
have been long time subscribers and supporters of them. I long ago
gave up the moderation of the lists (to far more capable hands than
mine) but I have followed them faithfully for nearly a decade. In fact
Pen-Test was the first list I created after I founded SecurityFocus
in 1999.

Of all the Secfocus lists these two always been my favorites. Frankly
I always thought Bugtraq, everyone else's favorite, was/is pure
misery. Full disclosure (the ethic not the mailing list of the same
name) is a circus and that's a pity.

I have now decided to move on from Symantec (who bought Securityfocus
in 2002) to head back to start-up land and so I will no longer have
the time to follow the many lists I've grown accustomed to reading
here. Thanks to all of you who contributed, I owe you all a small
debt.

My new contact into is:

alfred.huger at gmail com

I also use Linkedin, please feel free to connect:
http://www.linkedin.com/in/alhuger

Cheers and thanks again,
Al Huger

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Content Inspection - Statistical methods

2009-08-13T11:27:19Z

Jamie Riden wrote:

> The real problem in ML seems to be finding good, accurately labelled
> training data :(

On the other hand, any system which needs clean (or accurately labeled)
training data will be of no use in the real world, as you will never
have clean training data on real world systems :-)

The problem is much more general, and related to evaluation of ANY IDS,
not just machine learning approaches.

Don't get me started on this once more... :p

Stefano

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: AW: IPS - Cisco vs. McAfee vs. Tippingpoint

2009-08-12T18:21:33Z

On Aug 11, 2009, at 4:43 AM, Daniel, Akos wrote:

> That makes our life hard, for one question we have got ~12 Solution
> from different Manufacturers. As I see, it is not easy to choose
> 'the best solution', there is too much good idea from different
> manufacturers on the market and the key benefits of a product differ
> at each unique Customer/User.
> Snort
> http://www.snort.org/

Since Snort's included on that list, lets go ahead and make it 13. http://www.bro-ids.org/
:)

.Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: IPS-Builder

2009-08-12T17:55:36Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nice tool,
and I would like to help to make a english version and work on
ubuntu/debian with/for you :-)

Best wishes,
BlueT.

Augusto Pereyra wrote:

> Hi list:
>
> I' d like to share with all, this script made by me based on root0
> script for ips instalation.
> This script was tested on fedora 9 but it should work in fedora 10 too.
> You need 3 network interfaces (One for management and two for the bridge)
> I
>
> When the script finish his execution you will have an IPS with the
> following description:
> Detection engine:
> -Snort
> -Easy Update of rules using oinkmaster.pl (just run sh /sbin/oink)
> Blocking method (interact with IPtables):
> -Quarentine
> -Reset Layer 2
> How is connected?
> -It works as an ethernet bridge using brctl in two interfaces to do it.
> -This have a management interface.
> Alert Mangement:
> -BASE (Logged in mysql)
> -Syslog (optional)
> System Management:
> -Webmin (only from localhost)
> -SSH (only in management interface)
> Extra
> -Startup scripts
> -Rule Configuration script (iptsamconf.sh) //this was downloaded from
> http://www.root0.net/
> It works greate protecting virtual machines
> When you config the vmware interfaces for example put one of the NIC
> of the bridge in VMNET7 and the other must be set as a bridged
> In the next step you must connect all the vmware machines that you
> want protect connected to VMNET7
> Thats it. All machines in vmnet7 will pass throw the bridge to reach
> the real network and the trafic will be analized by snort.
>
>
> To do
> -Daily reports by mail
> -Will detect attacks over SSL
> -Rule Configuration interface
> -Thats it.
>
> You can download it from
> http://code.google.com/p/ips-builder/downloads/list
>
> This is just the beta version.
> Please send me comments, questions or bugs to aepereyra at gmail dot com
>
> Enjoy
> Augusto Pereyra
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqDZIcACgkQfoJ/q1KWx6jhsQCfW7Fgwu3q4oe910UtvFkfCo38
xB8AoJM2k98skEmDmDjSQFBAPZ/6nbPx
=fsf7
-----END PGP SIGNATURE-----

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Content Inspection - Statistical methods

2009-08-12T13:26:59Z

2009/8/11 Richard Bejtlich <taosecurity@...>:

> On Sat, Aug 8, 2009 at 1:45 PM, Glenn
> Wilkinson<glenn.wilkinson@...> wrote:
>> Hello IDS folks,
>>
>> I'm currently doing a mini-project involving applying machine learning
>> techniques to the identification of hostile network traffic. My focus
>> is on TCP traffic, and I'm looking at header and content based
>> inspection. I'm wrapping up my feature extraction code now, whereby
>> I've imported all TCP sessions from the DARPA training sets into a DB
>> and have tagged the hostile sessions.
>>
>> My question is, does anyone have any bright ideas of some useful,
>> simple content analysis attributes? As it's a statistical/ML approach
>> I'm trying to come up with as generic as possible ideas. So far I'm
>> calculating things like session data entropy, most frequent character,
>> counts of certain characters.
>>
>> I'm brand new to this field, but am really excited about this project.
>> Any feedback/advice would be greatly appreciated.
>>
>> Thanks!
>> G
>>
>
> Hi Glenn,
>
> How about NOT using the DARPA data sets? Maybe something more modern?
>
> http://taosecurity.blogspot.com/2009/08/2009-cdx-data-sets-posted.html

Agreed - I think I remember using those for some coursework in 2001.
They were a bit limited in the features extracted from the packet and
the eventual winning solution - a combination of bagged/boosted
decision trees - I don't think would work very well in the real world.
This is all going from memory, so could be absolute rubbish.

The real problem in ML seems to be finding good, accurately labelled
training data :(

cheers,
Jamie

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Content Inspection - Statistical methods

2009-08-11T12:03:15Z

On Sat, Aug 8, 2009 at 1:45 PM, Glenn
Wilkinson<glenn.wilkinson@...> wrote:

> Hello IDS folks,
>
> I'm currently doing a mini-project involving applying machine learning
> techniques to the identification of hostile network traffic. My focus
> is on TCP traffic, and I'm looking at header and content based
> inspection. I'm wrapping up my feature extraction code now, whereby
> I've imported all TCP sessions from the DARPA training sets into a DB
> and have tagged the hostile sessions.
>
> My question is, does anyone have any bright ideas of some useful,
> simple content analysis attributes? As it's a statistical/ML approach
> I'm trying to come up with as generic as possible ideas. So far I'm
> calculating things like session data entropy, most frequent character,
> counts of certain characters.
>
> I'm brand new to this field, but am really excited about this project.
> Any feedback/advice would be greatly appreciated.
>
> Thanks!
> G
>

Hi Glenn,

How about NOT using the DARPA data sets? Maybe something more modern?

http://taosecurity.blogspot.com/2009/08/2009-cdx-data-sets-posted.html

Sincerely,

Richard

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Content Inspection - Statistical methods

2009-08-11T10:59:16Z

On 08/ago/2009, at 19.45, Glenn Wilkinson <glenn.wilkinson@...>
wrote:

> My question is, does anyone have any bright ideas of some useful,
> simple content analysis attributes? As it's a statistical/ML approach
> I'm trying to come up with as generic as possible ideas. So far I'm
> calculating things like session data entropy, most frequent character,
> counts of certain characters.

The IDS literature is over-filled of techniques (both deterministic
and stochastic, or ML-based) of any sort to model "good" traffic that
may inspire your project.

I don't have the exact references with me but a quick Google Scholar
for terms like "tcp" "anomaly" "payload" narrowed between 2003 and
2006 (when anomaly-based NIDS were a hot topic) will spot out the main
contributions.

I feel there's even a little room for improvements to the existing
approaches.

Cheers,

-- Fede

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

IPS-Builder

2009-08-11T10:38:29Z

Hi list:

I' d like to share with all, this script made by me based on root0
script for ips instalation.
This script was tested on fedora 9 but it should work in fedora 10 too.
You need 3 network interfaces (One for management and two for the bridge)
I

When the script finish his execution you will have an IPS with the
following description:
Detection engine:
-Snort
-Easy Update of rules using oinkmaster.pl (just run sh /sbin/oink)
Blocking method (interact with IPtables):
-Quarentine
-Reset Layer 2
How is connected?
-It works as an ethernet bridge using brctl in two interfaces to do it.
-This have a management interface.
Alert Mangement:
-BASE (Logged in mysql)
-Syslog (optional)
System Management:
-Webmin (only from localhost)
-SSH (only in management interface)
Extra
-Startup scripts
-Rule Configuration script (iptsamconf.sh) //this was downloaded from
http://www.root0.net/
It works greate protecting virtual machines
When you config the vmware interfaces for example put one of the NIC
of the bridge in VMNET7 and the other must be set as a bridged
In the next step you must connect all the vmware machines that you
want protect connected to VMNET7
Thats it. All machines in vmnet7 will pass throw the bridge to reach
the real network and the trafic will be analized by snort.

To do
-Daily reports by mail
-Will detect attacks over SSL
-Rule Configuration interface
-Thats it.

You can download it from
http://code.google.com/p/ips-builder/downloads/list

This is just the beta version.
Please send me comments, questions or bugs to aepereyra at gmail dot com

Enjoy
Augusto Pereyra

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Reputation based IPS/IDS - Cisco's tested

2009-08-11T08:49:00Z

Some of you may remember our discussion back in November, 2008 about
using reputation services in IPS. (search for subject line "Email
reputation for inout to IDSs?" if you want to read it).

Anyway, I was given a chance to test Cisco's 7.0 IPS that includes the
Ironport SenderBase/SensorBase reputation service, and Network World
just published the test. Since we discussed the technology (and how no
one was actually doing it) on this list, here's a link to how Cisco is
finally doing something about it, and what they're doing:

http://www.networkworld.com/reviews/2009/081009-cisco-intrusion-prevention-system-test.html

Best regards,

jsm

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms@... http://www.opus1.com/jms

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194