headers
Greg Martin | 1 Nov 2006 01:08

Re: detecting network crowd surges


> I wonder, though, is this how real botnets are controlled?
> 
> Surely it would be fair easier, and less obtrusive, to control your
> botnet via a updated http site. like
> http://<mikeiscool>/instructions.txt. Every day the bots would log on
> and receive their latest orders. Makes sense to hide in http rather
> then risk a protocol that might be blocked, doesn't it?
> 
> -- mic

Correct but botnets came from the underground IRC world, where most of
the reusable c&c code was developed.  These people know IRC well, it is
an easy channel for them to develop upon.

The second factor is available zombie management.  A pure pull method
with http would make it hard for the bot herder to track his available
zombies, rather than just looking how many users are in an IRC
channel.  

Common sense tell us botnets will continue to use IRC less as detection
efforts such as the one described in the thread become more common.  The
real challenge will be when they go to covert tunneling capabilities for
C&C such icmp and dns packets.

-Greg

------------------------------------------------------------------------
Test Your IDS
(Continue reading)

Permalink | Reply | 2 comments |
headers
Eric Hacker | 3 Nov 2006 02:12

Re: detecting network crowd surges

On 10/31/06, Greg Martin <gregm <at> econet.com> wrote:
> The second factor is available zombie management.  A pure pull method
> with http would make it hard for the bot herder to track his available
> zombies, rather than just looking how many users are in an IRC
> channel.
>
> Common sense tell us botnets will continue to use IRC less as detection
> efforts such as the one described in the thread become more common.  The
> real challenge will be when they go to covert tunneling capabilities for
> C&C such icmp and dns packets.

There are so many ways for botnets to hide their traffic that the ones
that are may be so well hidden it would be difficult to find them. As
bit torrent, IM and VoIP become more popular, it will be easy to hide
in the noise.

Also, pull does not present a problem for bots during the gathering
phase where the need to manage the majority of the bot herd is
minimal. At least one bot herder was using a web traffic analyser to
keep count of the bots. Then, when a gig comes in, the bot herder can
redirect the bots to a push-pull command channel.

--

-- 
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.
(Continue reading)

Permalink | Reply | 0 comments |
headers
david.craigen | 8 Nov 2006 17:31
Picon
Favicon

Industries Best practices

My question today is 
Is there an industry standard for retention of IDS logs? 

What is considered best practices for reviewing firewall logs.  Daily, weekly, quarterly, etc.

Thanks for your assistance

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 2 comments |
headers
Ramon Kagan | 8 Nov 2006 19:37
Picon
Favicon

Re: Industries Best practices

I don't think there is a one-size-fits all answer to this question.  For 
instance in our case the decision is severely influenced by legal 
regulations.  It's a tough call because you have to balance risk of not 
having the data to investigate and risk of violating laws.  I would start 
with your local legal ramifications first to aide in determining what you 
have to comply with.  This will at least give you a range of what you can 
and cannot do.  After that... I recommend keeping as much as you can for 
as long as you can.

Ramon Kagan, GCIA, GCIH				(p)416-736-2100 #20263
Manager, UNIX Services				rkagan <at> yorku.ca
Interim Manager, Information Security
Computing and Network Services
York University, Toronto, Canada

When all think alike, no one is thinking very much.
 	- Walter Lippmann

On Wed, 8 Nov 2006, david.craigen <at> acs-inc.com wrote:

> My question today is
> Is there an industry standard for retention of IDS logs?
>
> What is considered best practices for reviewing firewall logs.  Daily, weekly, quarterly, etc.
>
> Thanks for your assistance
>
> ------------------------------------------------------------------------
> Test Your IDS
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gary Everekyan | 8 Nov 2006 20:35

RE: Industries Best practices

Less is always better for legal reasons. Having said that...
Your best place to get any pertinent information will be dependent on the
vertical that the business is in.
I recommend to review all the regulatory requirements that you have to
consider before you look at general best practice that may recommended by
various vendors, ISO COBIT, COSO etc.
HTH  

Regards, 

Gary Everekyan

CISSP, CISM, CHS-III, ISSAP,ISSPCS, ITILp, MCSE, MCT 
Information Security and Audit
"High achievement always takes place in the framework of high expectation" -
Jack Kinder

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On
Behalf Of david.craigen <at> acs-inc.com
Sent: Wednesday, November 08, 2006 11:31 AM
To: focus-ids <at> securityfocus.com
Subject: Industries Best practices

My question today is
Is there an industry standard for retention of IDS logs? 

What is considered best practices for reviewing firewall logs.  Daily,
weekly, quarterly, etc.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kevin Johnson | 17 Nov 2006 02:42

BASE 1.2.7 (karen) released


Hi all-

First I would like to announce that BASE 1.2.7 (karen) is now available
from the Sourceforge project page. It can be downloaded from
http://sourceforge.net/projects/secureideas

This is a minor release with a few bugs fixed and little changes.
The biggest part of this release is the contribution of the SnortUnified
system.  This is a perl program designed to replace Barnyard.

I would like to take a moment and thank everyone for over two years
of support and help.  When I announced BASE in 2004 I didn't think
that most people would notice.  I still can't believe how wrong I was.

So I want to say thanks!

Kevin Johnson GCIA, GCIH, CISSP, CEH
Principal Consultant
Secure Ideas
http://www.secureideas.net
Permalink | Reply | 0 comments |
headers
Velasquez Venegas Jaime Omar | 21 Nov 2006 13:34
Picon
Favicon

Cisco IPS 5.1

I'm tryng to build a  customized signature on Cisco IPS 5.1 so it can
detect an specific content-type in http header.
I did my research and found that i should use an http inspection engine
built in Cisco IPS and a command called regex.
An example of this would be very helpful.

Thanks

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Branislav Gacesa | 21 Nov 2006 14:45
Picon

Fuzzy AI IDS


hello group

I'm interested in good resources on subject. Extensive google search
did not result in any useful ( non $$$) papers :)

Thanks,
Branislav
Permalink | Reply | 5 comments |
headers
Gary Halleen (ghalleen | 21 Nov 2006 22:20
Picon
Favicon

RE: Cisco IPS 5.1

Velasquez,

There are several ways to use Regex, or Regular Expressions, into a
Cisco IPS signature.  Here are the ways to use it with the service-http
engine:

1.  URI Regex:  Regular expression to search in the URI field.  The URI
field is defined as after the HTTP method (i.e. GET, POST) and before
the first CRLF.

2.  Arg Name Regex:  Regular expression to search in the HTTP arguments
field (variable names within form input, for instance).  This is defined
as after the '?' and in the entity body as defined by Content-Length.

3.  Arg Value Regex:  Regular expression to search in the HTTP arguments
field after Arg Name Regex is matched.  This is searching on the value
defined by the variable name, above.

4.  Header Regex:  Regular expression to search in the HTTP header.  The
header is defined as after the first CRLF, but before CRLFCRLF.

5.  Request Regex:  Regular expression to search in both the HTTP URI
and HTTP arguments fields.

In addition to these regex values, you can also specify maximum lengths
of URI, arguments, header, and request.

If you have specific things you're looking for, I'd be more than happy
to help you with the signature.  Additionally, our TAC is able to assist
in custom signature creation.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nick Smith (nicksmi | 21 Nov 2006 22:54
Picon
Favicon

RE: Cisco IPS 5.1


The best engine to use to detect this type of activity would be Service
HTTP.  Be sure to use #WEBPORTS as your service port detection range to
ensure efficiency.  Using the IDM, you can see that Service HTTP has
many regexes available for use.  A regex looks in a certain part of the
HTTP request and if it matches the pattern you enter, it triggers the
configured action, such as firing an alert.  The regex you want to use
for looking for a specific Content-Type would be the header regex.  In
there, you would enter,
[Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20? and then the
type you are looking for.  So if you are looking for image/gif, your
regex would be:

[Cc][Oo][Nn][Tt][Ee][nN][Tt][-][Tt][Yy][pP][Ee][:]\x20?[Ii][Mm][Aa][Gg][
Ee][/][Gg][Ii][Ff]

The []'s say that you will match anything contained therein, so in this
example, it would match for any capitalization in 'content-type' and
image/gif.  The \x20? adds an optional space to be matched or not
between 'content-type' and the type.  Please let us know if you require
any further assistance.

Nicholas Smith
Cisco IPS Signature Developer

-----Original Message-----

From: Velasquez Venegas Jaime Omar <jaime <at> ulima.edu.pe>
Date: Nov 21, 2006 6:34 AM
Subject: Cisco IPS 5.1
(Continue reading)

Permalink | Reply | 0 comments |

Gmane