Ryan Barnett | 2 Apr 06:10 2004

Honeynet Project Scan of the Month Challenge for April - Open Proxy Honeypot


Greetings all,
This month's challenge is to analyze web server log files looking for signs of abuse. The Honeypots:
Monitoring and Forensics Project (http://honeypots.sourceforge.net) deployed an Apache web server
that was configured as an Open Proxy. Your job is to analyze the log files and identify/classify the
different attacks (trust me, there are a surprising number of them :). All entries are due Friday, 30
April. Results will be released Friday, 7 May.

Before analyzing the web logs, Please review the honeypot whitepaper entitled Open Proxy Honeypot
(http://honeypots.sourceforge.net/open_proxy_honeypots.pdf) for in depth details of the
configurations. This paper will provide important background information to aid in your analysis of the
SoTM data.

Good Luck!
Ryan C. Barnett
SANS Instructor: Securing Apache
GCFA, GCIH, GCUX, GSEC

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Strand, John | 2 Apr 15:35 2004

CISCO IDS Packet capture


Hello All,

Does anyone know how to enable some level of packet capture and logging on
the CISCO IDS system (the newer version which interfaces with CiscoWorks and
can run on Win2K)? I have hunted through the CISCO provided PDF's and their
a little on the light side. I also have hit the usual suspects, google,
CISCO groups, etc.. 

Thanks in advance for any help.

js

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Barry Fitzgerald | 2 Apr 16:38 2004
Picon

System Detection, Inc. -- Antura product line -- Has anyone had any experience with this?

Hello everyone,

          The company I work for is reviewing System Detection, 
Incorporated's Antura intrusion detection product line.  Has anyone had 
any experience with System Detection, Inc. or the Antura product line?  
Any opinions or measured statements?

          TIA

                      -Barry

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Job 317 | 6 Apr 10:00 2004

FTP/Telnet IDS Evasion techniques

Hello group.

I've been playing around with Sidestep and am looking for any other IDS
evasion techniques using FTP (or even Telnet). Can anyone point me to
papers or a site discussing this? Google hasn't helped much in this area
so far.

Thanks,

JOB
Matt Vaughan | 6 Apr 16:44 2004

RE: CISCO IDS Packet capture

Hi John,

You can configure specific signature types to be captured.  You can open
them up in something like Ethereal after downloading them from IDM (IDS
web interface).

-----Original Message-----
From: Strand, John [mailto:John.Strand <at> mms.gov] 
Sent: Friday, April 02, 2004 7:36 AM
To: focus-ids <at> securityfocus.com
Subject: CISCO IDS Packet capture

Hello All,

Does anyone know how to enable some level of packet capture and logging
on the CISCO IDS system (the newer version which interfaces with
CiscoWorks and can run on Win2K)? I have hunted through the CISCO
provided PDF's and their a little on the light side. I also have hit the
usual suspects, google, CISCO groups, etc.. 

Thanks in advance for any help.

js

------------------------------------------------------------------------
---

------------------------------------------------------------------------
---

(Continue reading)

Chad R. Skipper | 6 Apr 22:11 2004
Picon

RE: CISCO IDS Packet capture

3 options available:

IP Logging - The sensor will capture the binary packets for a given address 
and store them in an IP Log file that can be downloaded and viewed by the 
user.  The IP Logging capability can be triggered manually by specifying a 
particular IP address, or automatically when a signature triggers.

Trigger Packet - The sensor can attach the trigger packet directly to the 
alarm.  IEV can then be used to view the contents of the trigger packet 
(IEV passes the packet to ethereal for viewing).

Tcpdump - Tcpdump has been loaded on the sensors.  You will have to create 
a service account on the sensor to get access to the underlying Linux 
OS.  Once logged into the service account then you can switch to user root 
(same password as the service account).  You can run ifconfig -a to see 
which interface you want to sniff on.  There is currently an issue with the 
sensor that the sensor can not monitor the same interface that tcpdump 
monitors.  They use different methods to open the interface that are not 
compatible with the current driver.  This will be corrected in the next 
sensor version.  Until then you will need to shutdown the interface from 
the CLI, before attempting to run tcpdump on it.  Once the interface has 
been shutdown then you will need to bring it up using ifconfig before 
running tcpdump on the interface.  When you are done running tcpdump you 
will need to reboot the sensor to re-initialize the drivers, and then 
through the CLI you would need to do a "no shutdown" on the interface to 
get the sensor to start monitoring on it again.  This is being corrected in 
the next sensor version, and the user will be able to run tcpdump on the 
same interface that is being monitored.

---------------------------
(Continue reading)

James Fields | 7 Apr 02:32 2004
Picon

Re: CISCO IDS Packet capture

For each signature on a newer Cisco sensor, you have the ability to turn on
and off the features called log, reset, and block.  Log is the choice that
causes it to capture.  You then get the capture off the sensor using the web
interface on the sensor.  It will be in pcap format, readable with Ethereal
or other analyzers that can read that format.

----- Original Message -----
From: "Strand, John" <John.Strand <at> mms.gov>
To: <focus-ids <at> securityfocus.com>
Sent: Friday, April 02, 2004 9:35 AM
Subject: CISCO IDS Packet capture

>
> Hello All,
>
> Does anyone know how to enable some level of packet capture and logging on
> the CISCO IDS system (the newer version which interfaces with CiscoWorks
and
> can run on Win2K)? I have hunted through the CISCO provided PDF's and
their
> a little on the light side. I also have hit the usual suspects, google,
> CISCO groups, etc..
>
> Thanks in advance for any help.
>
>
> js
>
> --------------------------------------------------------------------------
-
(Continue reading)

Alex Arndt | 7 Apr 02:34 2004

RE: CISCO IDS Packet capture

Comments in-line below...

> -----Original Message-----
> From: Strand, John [mailto:John.Strand <at> mms.gov]
> Sent: April 2, 2004 8:36 AM
> To: focus-ids <at> securityfocus.com
> Subject: CISCO IDS Packet capture
>
> Hello All,
>
> Does anyone know how to enable some level of packet capture and logging on
> the CISCO IDS system (the newer version which interfaces with
> CiscoWorks and
> can run on Win2K)? I have hunted through the CISCO provided PDF's
> and their
> a little on the light side. I also have hit the usual suspects, google,
> CISCO groups, etc..

The feature you're referring to is known as "IP Logging" in Cisco's
documentation. You can find exactly how to configure it here (beware of
line wrap):

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_
and_configuration_guide_chapter09186a00801a0c3c.html#255

This information is made available under the "IDS Device Monitoring Tasks"
section of the "Installing and Using the Cisco Intrusion Detection System
Device Manager and Event Viewer Version 4.1" online documentation that is
available here (beware of line wrap):
http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_installation_
(Continue reading)

Strand, John | 6 Apr 16:56 2004

RE: CISCO IDS Packet capture


First off, thanks for all of your responses thus far.

I am currently looking into what Paul Schnake sent me. It looks like it
might be what I need.. 

I am looking to see if the system can log the export the offending packet.
Within that I would like to see at least the header information, and as an
added bonus maybe some of the payload to be sifted through tcpdump or
ethereal. We have been using the context buffer for a while and that is
great, however in some situations we wanted to see more data. 

-----Original Message-----
From: Scherer, Brian [mailto:BScherer <at> dialamerica.com] 
Sent: Tuesday, April 06, 2004 8:44 AM
To: Strand, John
Subject: RE: CISCO IDS Packet capture

I didn't know you could do a packet capture with the IDS but I know if
you go into security monitor then event viewer, if you right click on
sig name you can view the context buffer.  What type of logging are you
trying to do?
-Brian- 

-----Original Message-----
From: Strand, John [mailto:John.Strand <at> mms.gov] 
Sent: Friday, April 02, 2004 8:36 AM
To: focus-ids <at> securityfocus.com
Subject: CISCO IDS Packet capture

(Continue reading)

Billy Dodson | 6 Apr 15:34 2004

RE: CISCO IDS Packet capture

I am uncertain if this is possible.  You can run a snoop command from
the shell and watch data.  If you tried to log all that data on the IDS
itself the hd would fill up in a matter of minutes.  There might be a
way to log it to a syslog server or something of that nature, but I have
never tried.  But if you just want to watch the data in real time you
can run that snoop command. 

Billy Dodson
Network Systems Engineer
Permian Micro Mart
3815 E. 52nd Street
Odessa, TX 79762
432.367.3239 - Direct Line
432.367.6179 x139

-----Original Message-----
From: Strand, John [mailto:John.Strand <at> mms.gov] 
Sent: Friday, April 02, 2004 7:36 AM
To: focus-ids <at> securityfocus.com
Subject: CISCO IDS Packet capture

Hello All,

Does anyone know how to enable some level of packet capture and logging
on the CISCO IDS system (the newer version which interfaces with
CiscoWorks and can run on Win2K)? I have hunted through the CISCO
provided PDF's and their a little on the light side. I also have hit the
usual suspects, google, CISCO groups, etc.. 

Thanks in advance for any help.
(Continue reading)


Gmane