OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: Good source of intrusion detection and response steps?
From: Matt Baney (baneyshai-seattle.com)
Date: Fri Mar 24 2000 - 14:24:23 CST

Robert Graham wrote:

> --- Matt Baney <baneyshai-seattle.com> wrote:
> > What are the best sources for detailed (ie. step by step ) information for
> > detecting and responding to intrusions? I'm looking for something that is
> > more detailed than the CERT advisories, and that may also contain response
> > and forensic details. Something that might includes the necessary steps to
> > detect an intrusion and also provide the necessary response steps to stop
> > or negate the intrusion while preserving forensic information that would be
> > necessary for legal action or be useful in identifying the perpetrator or
> > source of the attack.
> > Does this kind of information exist anywhere?
>
> The best source of this information is the bugtraq vulnerabilities database:
> http://www.securityfocus.com/vdb/
>
> ..< vulnerability databases, and web links snipped>..
>
> Robert Graham
> CTO/Network ICE
>

Thanks for the pointers to the vulnerability databases, and the web links. I've
seen all those sites previously, and thats not what I'm looking for. Like I said
I'm looking for some specific details or instructions on how to use a tool to find
an intrusion, detect the intruder, preserve evidence of the intrusion, preserve
evidence about the identity of the intruder or source of the intrusion, and stop
the intrusion.

I'm not intersested in things like:
  "If you have version 123.4 or earlier of BlahBlahBlahFirewall, then download and
install Patch765.4 from the vendor to close the BlobbityBlob vulnerability".

I'd like something like:
  -SuperDuperIDSTool detects a BlobbityBlob intrusion, and
           displays a warning message in the log window
  -Click the Warning message to view the intrusion details
  -Open a command window
  - cd to the parent directory specified in the intrusion details
  - do a detailed listing of the intruded directory and place the results in
evidence.dat
  - save the directory history file into evidence.dat
  - verify the existence of the files specified in the intrusion details
  - delete the files specified in the intrusion details
  - if the specified files are not found, verify the status of the directoryListing
tool.

Maybe something more like a checklist for an intrusion? It seems like this might
be pretty tool specific so maybe nothing like this exists anywhere? I'm not very
familiar with using IDS tools, maybe they don't have this functionality or work
this way? Or maybe the vendors already provide this kind of instruction? 

--
Matt Baney                               (206)-545-2941
SHAI  Seattle, Washington        baneyshai-seattle.com
-------------------------------------------------------
Its hard to predict the unpredictable.