Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Find a tool that is capable of recording (capturing) packets (i.e. Network
Sniffer, Microsoft Network Monitoring Tool, Ethereal, etc) or purchase some
Packet Capture, Packet generator tool like HailStorm (www.clicktosecure.com)

/m

At 06:41 PM 2/27/01 -0500, Bill Royds wrote:
>Archive: http://msgs.securepoint.com/ids
>FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
>FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
>IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
>HELP: Having problems... email questions to ids-owneruow.edu.au
>NOTE: Remove this section from reply msgs otherwise the msg will bounce.
>SPAM: DO NOT send unsolicted mail to this list.
>UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
>-----------------------------------------------------------------------------
>Basically, if no one has seen it before, then one starts classifying it as
>new.
>For example, there are good Snort signature files at www.whitehats.com and
>www.snort.org. If they haven't signatures for the traffic you observed
>then it is not likely that widespread, so one needs to dig deeper into the
>traffic. Most exploits will be targeted at Intel x86/Pentium architectures
>(Linux, BSD or Windows) at some time so finding Intel NOP instructions
>repeated in the payload is a good sign of a buffer overflow attempt.. One
>then tries to find some characteristics of the packets that could be used
>in a google search or IRC search to see if more information is around.
>
>
>-----Original Message-----
>From: owner-idsuow.edu.au [mailto:owner-idsuow.edu.au]On Behalf Of
>Kohlenberg, Toby
>Sent: Tuesday, February 27, 2001 04:28
>To: idsuow.edu.au
>Subject: IDS: How to track down a novel packet trace?
>
>-----------------------------------------------------------------------------
>How do those of you who are long time intrusion analysts
>go about finding the source of a novel set of packets?
>Novel in the sense that you haven't seen them before. When
>you look at the analyses that are available on various
>websites- the SANS GCIA practicals are great as is the rest
>of their library, the analysis reads "found a novel trace
>that looks like XYZ. Tracked the trace back to this specific
>piece of software (new portscanner, or a new version of
>_something_). That is where my question comes up- do you
>just spend large amounts of time wandering from hacker site
>to hax0r site? I am plenty familiar with technotronic,
>rootshell packetstorm and those sorts of sites, but while
>they have lots of tools, they don't generally seem to have
>the most underground stuff that is generating the newest
>traces.
>I expect to get different responses from different people,
>and will send out the sum of responses if there is an interest.
>So how do you do it?
>
>Thanks,
>Toby
>
>Toby Kohlenberg, CISSP
>Intel Corporate Information Security
>STAT Team
>Information Security Specialist
>503-264-9783 Office & Voicemail
>877-497-1696 Pager
>"Just because you're paranoid, doesn't mean they're not after you."
>
>PGP Fingerprint:
>92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]