[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IDS: RE: How to track down a novel packet trace?

To: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>, ids@uow.edu.au
Subject: IDS: RE: How to track down a novel packet trace?
From: Bill Royds <broyds@home.com>
Date: Tue, 27 Feb 2001 18:41:23 -0500

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Basically, if no one has seen it before, then one starts classifying it as 
new.
For example, there are good Snort signature files at www.whitehats.com and 
www.snort.org.  If they haven't signatures for the traffic you observed then 
it is not likely that widespread, so one needs to dig deeper into the 
traffic. Most exploits will be targeted at Intel x86/Pentium architectures 
(Linux, BSD or Windows) at some time so finding Intel NOP instructions 
repeated in the payload is a good sign of a buffer overflow attempt.. One 
then tries to find some characteristics of the packets that could be used in 
a google search or IRC search to see if more information is around.


-----Original Message-----
From: owner-ids@uow.edu.au [mailto:owner-ids@uow.edu.au]On Behalf Of
Kohlenberg, Toby
Sent: Tuesday, February 27, 2001 04:28
To: ids@uow.edu.au
Subject: IDS: How to track down a novel packet trace?

-----------------------------------------------------------------------------
How do those of you who are long time intrusion analysts
go about finding the source of a novel set of packets?
Novel in the sense that you haven't seen them before. When
you look at the analyses that are available on various
websites- the SANS GCIA practicals are great as is the rest
of their library, the analysis reads "found a novel trace
that looks like XYZ. Tracked the trace back to this specific
piece of software (new portscanner, or a new version of 
_something_). That is where my question comes up- do you
just spend large amounts of time wandering from hacker site
to hax0r site? I am plenty familiar with technotronic,
rootshell packetstorm and those sorts of sites, but while 
they have lots of tools, they don't generally seem to have
the most underground stuff that is generating the newest
traces.
I expect to get different responses from different people,
and will send out the sum of responses if there is an interest.
So how do you do it?

Thanks,
Toby

Toby Kohlenberg, CISSP
Intel Corporate Information Security
STAT Team
Information Security Specialist 
503-264-9783  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70

Prev by Date: IDS: How to track down a novel packet trace?
Next by Date: Re: IDS: RE: How to track down a novel packet trace?
Prev by thread: IDS: How to track down a novel packet trace?
Next by thread: Re: IDS: RE: How to track down a novel packet trace?
Index(es):
- Date
- Thread