Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: IDS: RE: RE: CyberCop Monitor not displaying logg

IDS: RE: RE: CyberCop Monitor not displaying logged on user?

Staggs, Michael (Michael_Staggsnai.com)
Fri, 3 Sep 1999 10:51:22 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Alexander Bochmann: "Re: IDS: Introduction / question on hacker tools"
Previous message: Robert Graham: "Re: IDS: Introduction / question on hacker tools"
Maybe in reply to: lchiavaccibe-on.it: "IDS: Introduction / question on hacker tools"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

A cogent Question. I'll try to address it...

Attacks monitored and detected by the CyberCop Monitor are classed in two forms; Packet based and Host based.

Host based attacks are attcks that target the upper layer of the OSI model, the OS of the host or the files that this host depends upon to live. Examples of these attacks are Password grinding against accounts or SMB shares, Registry modification attempts, Netbios name table dumps or connections as null user. ALL of these attacks contain security account/token info within the packets of the attack. Therefor, the CyberCop can associate these attacks with a particular account.

Packet based attacks occur at a much lower level than the above. Examples of these attcks are port scans for TCP and UDP. The TCP port scan known as a "half scan" initiates a connection by sending a SYN packet to a specific port on the victim. If the victim reponds with a SYN/ACK, then that port is open/listening. The scanning attacker never sends the final ACK to make the connection fully active- this means that we never get to a point in the packet exchange where security token/account info is exchanged. No account can then be associated with the attack.

The comment about event logs being easily in doubt is accurate. Intelligent hackers often intentionally fill your log with bogus info created by spoofed/forged packet floods. The really intelligent leave no traces whatsoever in the rooted boxes' logs. You gotta catch em afor they root ya!

Build a CD Incident Response kit- one with cmd.exe and all your needed snooping tools or dll's on it. Use this to scope your suspected rooted box. Using the dll's and exes on the rooted box can corrupt tracks/evidence. NEVER use explore- it changes all files it touches and ruins your forensics. Image the suspected drive before touching it at all and burn the image to a CDR- great tamper-proof evidence. Have two witnesses to all actions you take on the box. Document the hell out of every single command line you enter in your investigation. Keep a log of the chain of custody for the machine.

Luck to you. Any ??? I'd be glad to help.

- --- It depends on the signature. All of the NT EventLog based signatures include this information. For example: If an account modifies a protected file on the CyberCop Monitor protected system, NT will include the user name or SID of the offending account in the EventLog record which CyberCop Monitor will include in the report of the event. I think the field in the CCM reports is called "Account Responsible".

- -----Original Message----- From: christopher-j.conacherbae.co.uk [mailto:christopher-j.conacherbae.co.uk] Sent: Thursday, September 02, 1999 4:44 AM To: idsuow.edu.au Subject: IDS: Cybercop Monitor not displaying logged on user?

Dear List

I am currently evaluating IDS.

As far as I can tell Cybercop Monitor does not detail the user logged on to a machine that is flagged as launching an attack etc..

Can someone please let me know if this is not the case.

Surely if you are using a system to alert you to misuse within a network one of the main things that you would want to know is who is doing it.

I know that you can check NT's event logs but surely it adds far more room for doubt (in court etc.) if logs from one application on one machine are being used to say that such and such was done and then logs from another source are used to show that so and so's account was used to do it.

Also if it is so easy for me to get the information from the NT logs why does not CM have this functionality?

Chris Conacher DCE Tech Team Computer Sciences Corparation christopher-j.conacherbae.co.uk

-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBN9AOx0P+Hq9LR4eQEQIERQCfdHrooSdoyzmR4ex8G7HtLwsLYogAoOl7 oSOciRQWlMwEf+/hJqpWAP4W =LyVE -----END PGP SIGNATURE-----

Next message: Alexander Bochmann: "Re: IDS: Introduction / question on hacker tools"
Previous message: Robert Graham: "Re: IDS: Introduction / question on hacker tools"
Maybe in reply to: lchiavaccibe-on.it: "IDS: Introduction / question on hacker tools"

This archive was generated by hypermail 2.0b3 on Fri Sep 03 1999 - 23:27:56 CDT