OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Hisham Kotry (etsh_cucuyahoo.com)
Date: Thu Dec 27 2001 - 07:39:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yea, installing ACID maybe such a pain, there is great
    dcumentation on creating an ACID/SNORT console under
    RedHat Linux on the SFHN site (document available at
    http://www.sfhn.net/whites/snortacid.html), Also keep
    in mind that identifying the attack is only half the
    battle, maybe you could get rid of ALL those scans by
    using hogwash (http://hogwash.sourceforge.net) or
    incase your using CPFW-1 or NG, a simple INSPECT
    script that looks at the paylad and drops it if it
    suspects a NIMDA scan should do the trick (this should
    be similar to the idea at
    http://support.checkpoint.com/public/publisher.asp?hotid=a0ff902e-7d65-11d5-97ed-080020a7af00).

    Thanks,
    etsh911

    --- David Correa <techlinux-tech.com> wrote:
    > On Wed, 26 Dec 2001, Lance Spitzner wrote:
    > > Curious as to exactly what activity or
    > > attacks this may be, I decided to add http
    > functionality,
    > > so I installed Apache.
    > >
    > > I didn't realize it, but this turns out to be a
    > handy
    > > 'worm sucker'. Ends up most of the http attacks
    > are
    > > Windows based. Apache happily detected and logged
    > all
    > > of the attacks, however it was impervious to the
    > Windows
    > > based ones, as it is NOT IIS and it is NOT running
    > on
    > > Windows. Works similar to the concept we were
    > chatting
    > > about earlier, using non-common platforms for
    > platform
    > > specific attacks.
    >
    > Hi,
    >
    > Implementing ACID might is a bit more complicated
    > that just installing Apache, but if have what it
    > takes
    > is worth the time invested.
    >
    >
    http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html
    >
    > An good alternative is SonrtSnarf
    >
    http://www.silicondefense.com/software/snortsnarf/index.htm
    >
    > ::dc::
    >
    > David Correa RHCE CCNA
    > http://www.linux-tech.com
    >
    >
    >
    ---------------------------------------------------------------------
    > To unsubscribe, e-mail:
    > honeypots-unsubscribesecurityfocus.com
    > For additional commands, e-mail:
    > honeypots-helpsecurityfocus.com
    >
    ---------------------------------------------------------------------
    > This list is provided by the SecurityFocus Security
    > Intelligence Alert
    > (SIA) Service. For more information on
    > SecurityFocus' SIA service
    > which automatically alerts you to the latest
    > security vulnerabilities.
    > Please, see: https://alerts.securityfocus.com/
    >

    __________________________________________________
    Do You Yahoo!?
    Send your FREE holiday greetings online!
    http://greetings.yahoo.com

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/