On Thu, Feb 18, 2010 at 2:59 PM, bofh <goodb...@gmail.com> wrote: > On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets <laur...@daemon.be> wrote: > >> <interesting & spot on remarks> >> >>> Just don't get ISS crap. >>> >>> Also, snort is good, but you must know what you're doing. Our snort box, >>> running on an old throw away box, and only capturing/analyzing 10 minutes >>> of >>> every hour, is giving us *MORE* useful data than half a mil worth of ISS >>> crap. >>> >> >> Care to elaborate? :) > >
I have updated information. Now, it's more along the lines of "we will regroup", change focus, realign focus, etc etc, reinvent themselves. Sorry, this is like the 4th time they are "re-inventing" something or other. GX6116 re-arranges traffic. Bleh Over the past week, we had a system compromised. A vulnerability that is at least 3 months old (PDF and others) that the ISS IPS system claimed to have *BLOCKED*. However, we have evidence, capture on both sides of the IPS (GX5208) that the traffic went through. Only 1 out of the 6 attacks was actually blocked. And the XForce have confirmed that our analysis is correct. They're working on a signature. But it will not make March xpu. No promises on April's xpu. They will provide us a "patch". Bad bad taste in my mouth. My guy wrote a custom signature in snort in a couple of hours. And lets not even talk about the damned SQL Injection signature. Every few months, they "tune" it. A "+" in the URL triggers it. *ANY* URL with a "+" triggers the damned SQL Injection signature... This is such a major WTF?! I'll send a list of the tools we used later, have to ping my guy for it :) What he did is have a cron job. Remember, we are doing this on an old box, so we could only analyze a fraction of the traffic. 10 minutes of every hour. tcpdump, dumps the traffic. A bunch of processes are executed against the pcap file. tcpdstat, 3 snorts - one against VRT ,one against community, and one against custom sigs, other tcp* tools (tcpflow, etc etc). Anything interesting is extracted and archived. Reports are generated. Afterglow generates a nice display so that we can visualize the problems, and executives can look at it and nod knowingly. Alerts are sent off whenever certain thresholds are met. We're looking to hook it into our help desk ticketing system so that we don't have to manually do it :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
