On Thu, Feb 18, 2010 at 2:59 PM, bofh <goodb...@gmail.com> wrote:

> On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets <laur...@daemon.be> wrote:
>
>> <interesting & spot on remarks>
>>
>>> Just don't get ISS crap.
>>>
>>> Also, snort is good, but you must know what you're doing.  Our snort box,
>>> running on an old throw away box, and only capturing/analyzing 10 minutes
>>> of
>>> every hour, is giving us *MORE* useful data than half a mil worth of ISS
>>> crap.
>>>
>>
>> Care to elaborate? :)
>
>

I have updated information.  Now, it's more along the lines of  "we will
regroup", change focus, realign focus, etc etc, reinvent themselves.

Sorry, this is like the 4th time they are "re-inventing" something or
other.  GX6116 re-arranges traffic.  Bleh

Over the past week, we had a system compromised.  A vulnerability that is at
least 3 months old (PDF and others) that the ISS IPS system claimed to have
*BLOCKED*.  However, we have evidence, capture on both sides of the IPS
(GX5208) that the traffic went through.  Only 1 out of the 6 attacks was
actually blocked.

And the XForce have confirmed that our analysis is correct.  They're working
on a signature.  But it will not make March xpu.  No promises on April's
xpu.  They will provide us a "patch".  Bad bad taste in my mouth.  My guy
wrote a custom signature in snort in a couple of hours.

And lets not even talk about the damned SQL Injection signature.  Every few
months, they "tune" it.  A "+" in the URL triggers it.  *ANY* URL with a "+"
triggers the damned SQL Injection signature...  This is such a major WTF?!

I'll send a list of the tools we used later, have to ping my guy for it :)



What he did is have a cron job.  Remember, we are doing this on an old box,
so we could only analyze a fraction of the traffic.  10 minutes of every
hour.  tcpdump, dumps the traffic.  A bunch of processes are executed
against the pcap file.

tcpdstat, 3 snorts - one against VRT ,one against community, and one against
custom sigs, other tcp* tools (tcpflow, etc etc).

Anything interesting is extracted and archived.  Reports are generated.
Afterglow generates a nice display so that we can visualize the problems,
and executives can look at it and nod knowingly.  Alerts are sent off
whenever certain thresholds are met.  We're looking to hook it into our help
desk ticketing system so that we don't have to manually do it :)

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Reply via email to