NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2009-02

Re: OT: Various compromise web informations source for new attack in progress in a timely fashion.

From: Daniel Ouellet (danielpresscom.net)
Date: Sun Feb 01 2009 - 23:41:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marti Martinez wrote:
> The type of profile information you're describing sounds like stuff that
> snort is pretty good at identifying. As such, I'd suggest you look into
> snort's database of "attack" signatures and see if it provides a decent
> starting point for you.

Thanks Marti, but the issue is not really into detecting the various
attacks really. Snort is great.

The issue is more when for example a computer have been compromise by an
attack, and it's obvious that in turn it's attacking others in some
cases. It can be block, but then identifying what the compromise
situation really is, or how to tell customers what it might be and where
to go to may be get it clean up, or provide their IT support person more
details as to get this clean up is what I am really looking for if that
even exists.

Let say for example you have a student that bring a compromise laptop
and connect it to your LAN. You can see the attack and even block it if
you chose to do so, but then after you beat him/here up (;> that person
may not have been aware of the situation and asked how to clean it up
other then the usual, wipe and reinstall your Windows computer.

And obviously this is assuming they were able to connect their laptop
obviously, but assume they did for discussion sake.

Look here, these 5 possibility is what your compromise might be. And
more informations is provided there as to how you might be successful in
cleaning it up.

That's really what I am after and again assuming such things actually
exists and is not obsolete in relevant informations.

The issue is not in detecting it, but what to do next and get more
informations on it as well as possibly find out how to get it clean up.

You can use PF as much as possible to block attack from outside, but
there is always sadly cases where it is introduce from inside and can be
detected and block, but the issue of the clean up and getting
informations on the case still exists.

I hope this explain it more.

Best,

Daniel

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]