On Mon, Feb 2, 2009 at 12:41 AM, Daniel Ouellet <dan...@presscom.net> wrote: > The issue is more when for example a computer have been compromise by an > attack, and it's obvious that in turn it's attacking others in some cases. > It can be block, but then identifying what the compromise situation really > is, or how to tell customers what it might be and where to go to may be get > it clean up, or provide their IT support person more details as to get this > clean up is what I am really looking for if that even exists.
Typically your IDS/IPS, if triggered, should have notes with the signature on fixing the problem. I have not found a one stop (or 5 stop) shop for these kinds of things, but definitely something like the sans diary helps for the new big things. CERT used to be good, but unfortunately they're too slow nowadays for a lot of the stuff. For things that are based on previously released patches, welp, obviously you need to go there. In the past, I've found AVIEN to be of use, but it requires a paid membership. AVIEN had been very good to me though - I knew of things so far in advance that some members of my team thought that I had an "in" with the "evil hackers". -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
