ahmad mubarak | 1 May 13:22 2006
Picon

detecting SMTP engine behaviour

hi all

as you know new viruses use SMTP Engine techniques to distrpute itself
to other machines and email addresses they find  when scanning the
hard drives and mapped drives.

is there any way to detect the malformed SMTP traffic and the source
address of machine host the worm or the SMTP engine since the worms
use different sender account not related to the same source machine
accounts.

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

rsingh36 | 1 May 15:32 2006

Re: RE: What firewall for small medical research lab

I'd suggest Checkpoint CI (Content Inspection) 25 user Lic clubbed with a proxy server on a SPLAT. I have
used Checkpoint for more that 5 years and beleave me the IDS/IPS in checkpoint is far evolved than any firewall.

Also checkpoint has small hardware for SOHO env with CI which filters the virus at the GW level removing 70%
of the threat comming from internet. 

Don't just look for firewall ..cause there are any and all will give you the same features, see what
additional benifit you can extract to make your env secure.

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Saqib Ali | 1 May 16:16 2006
Picon

Re: OT: Putting Encyption Functions in the HDDs

On 28 Apr 2006 18:23:22 -0000, securityfocus@...
<securityfocus@...> wrote:
> I have used similar type drives.  Mainly those equipped with an e-nova encryption chip. These drives run
flawlessly for me.  They encrypt all incoming data and decrypt outgoing data on the fly.  Unlike the drive
mentioned here, e-nova equipped drives only use a token key

One of the problems with the e-Nova solutions is that the e-Nova
controller MUST be present on each computer from which the hard drive
needs to be accessed. Plus if you lose the key you lose the data.
There is no concept of key escrow or master keys.

Full Disc Encryption drives by Seagate, on the other hand, have the
TPM (Trusted Platform Module) built-into drive, which is used for
storing the keys. Software like Wave System's Embassy Trust Suite can
be used to manage the TPM, password, 2-fact authentication, master
key, key escrow etc.

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
ahmad mubarak | 1 May 12:53 2006
Picon

which process performing ICMP echo request

hi all

our IDS detect a huge number of echo requests from one source address

to different unknown addresses

is there any way to identify the process in the machine performing
such activity

i tried using  NETSTAT -a -o -n  but nothing shown regarding these IP Addresses

thanx

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Al Lilianstrom | 1 May 16:03 2006

Re: Secure installation of Windows XP?


Thomas Jespersen wrote:
> Hi,
> 
> I hear stories of how a new Windows XP system is infected within 
> minutes. So I wonder, what is the procedure to install Windows XP in a 
> safe way?

Do your install off the network. Use a CD that has sp2 and patches 
slipstreamed or after the install install sp2 and patches off a 
CD/thumbdrive. Enable the firewall (or install a third party product, 
install your av client and you're in decent shape.

Some might say that you're ok to connect to the net after the install if 
you turn on the sp2 firewall and then hit windows update. Me - I'm too 
paranoid for that.

	al

> PS : In case there are any other Danes on the list, I posted a similar 
> question on a Danish security newsgroup, but I got very conflicting 
> responses, so I just want to know the opinion of this list.

--

-- 

Al Lilianstrom
CD/CSS/CSI
Al.Lilianstrom <at> fnal.gov

-------------------------------------------------------------------------
(Continue reading)

Jeff Davis | 1 May 16:23 2006

Re: What firewall for small medical research lab

I'd recommend either Smoothwall (as stated below)
or m0n0wall  http://www.m0n0.ch/wall/
It's similarly easy to set up in about a half hour.

-Jeff

Beauford, Jason wrote:
> I second Smoothwall.  
> 
> Easy interface, good feature set, current updates, and basic support via
> manufacturers forum.  
> 
> Paid support available.
> 
> Does not require any extensive linux knowledge, just burn the Iso and
> boot.  Follow the prompts.
> 
> Fair reporting.
> 
> Minimal system req's.
> 
> www.smoothwall.org
> 
> JMB 
> 
> 	|  -----Original Message-----
> 	|  From: Chris Moody [mailto:cmoody <at> qualcomm.com] 
> 	|  Sent: Thursday, April 27, 2006 11:08 PM
> 	|  To: rmillisl <at> millis-it.com
> 	|  Cc: firewalls <at> securityfocus.com; 
(Continue reading)

Michael Shum | 1 May 16:27 2006
Picon

Re: Secure installation of Windows XP?

This use to be the case when you install WINXP while connected to the
network, providing the NIC drivers are install after installation.

This isn't much the case anymore if you install WINXP with SP2 as SP2
contains many virus and software patches.

Installing WINXP with SP2, make sure firewall is turn on and install a
anti-virus application should be safe enought before connecting to the
network.

Michael

On 4/29/06, Thomas Jespersen <front243 <at> stofanet.dk> wrote:
> Hi,
>
> I hear stories of how a new Windows XP system is infected within
> minutes. So I wonder, what is the procedure to install Windows XP in a
> safe way?
>
> PS : In case there are any other Danes on the list, I posted a similar
> question on a Danish security newsgroup, but I got very conflicting
> responses, so I just want to know the opinion of this list.
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
(Continue reading)

Greg owens | 1 May 16:25 2006
Picon

RE: detecting SMTP engine behaviour

I created a custom signature to detect  all SMTP not authorized 

Greg Owens, CCNP CCSP CISSP
Telephone: 202-489-5252
Email:gowens <at> covad.net
--------------------------
Sent from my Samsung I730 Wireless Handheld

-----Original Message-----
   >From: "ahmad mubarak"<gosi.infosec <at> gmail.com>
   >Sent: 5/1/06 7:22:28 AM
   >To: "security-basics <at> securityfocus.com"<security-basics <at> securityfocus.com>
   >Subject: detecting SMTP engine behaviour
     >hi all
   >
   >as you know new viruses use SMTP Engine techniques to distrpute itself
   >to other machines and email addresses they find  when scanning the
   >hard drives and mapped drives.
   >
   >is there any way to detect the malformed SMTP traffic and the source
   >address of machine host the worm or the SMTP engine since the worms
   >use different sender account not related to the same source machine
   >accounts.
   >
   >-------------------------------------------------------------------------
   >This List Sponsored by: Webroot
   >
   >Don't leave your confidential company and customer records un-protected. 
   >Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
   >obligation. See why so many companies trust Spy Sweeper Enterprise to 
(Continue reading)

dgiesema | 1 May 15:54 2006

Re: which process performing ICMP echo request

Try using TCPVIEW from SysInternals (if the box is a windows host).  There should be similar tools for *nix as well.

Dan

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Arturas Zalenekas | 1 May 16:58 2006
Picon

RE: What firewall for small medical research lab


Actually, I don't agree you guys.
What do you think, how will he update his PIX !? He will need to spend a
lot money for updates. The FW should just work for "small medical research
lab". I would suggest IPCOP or even better ASTARO.
A lot of people were talking about IPCOP (very nice fw), so I don't need
to mention anything else about it. But ASTARO is an applience. There is an
free HOME edition license with max. 10 internal IPs. Features ... VPN
gateway (PSK,CERT) with detection of dead tunnels, IPS (snort engine), 2
different AV engines (arox. 50,- Euro a year and sig. updates every hour)
for HTTP and MAIL traffic, and much much more. I'm not a reseller and this
appliance has so many features, so take a look by your self on
www.astaro.com . Everything is configurable through WEB (like IPCOP). Give
it a shot and you will see, how good or bad this appliance is. Its linux
and all features can be build by your self too, if you're good :) But you
still have to buy then these AV license :)
If you have more then 10 internal IPs and you would still like to use the
free license and you know something about networking, it will not be a
problem for you :) Have fun.

--
Kind regards,
Arturas Zalenekas
Network Security Engineer and Analyst

On Sun, April 30, 2006 10:52, adnan <at> techiesonly.com wrote:
> I'm agree with
> Damien Dinh, as he said about PIX-501, even I had used this firewall long
> time back and it worked fine. Moreover you can hookup a PC as a Syslog
> server so this PIX firewall will fwd all the packets to that PC if you
(Continue reading)


Gmane