WebApp Sec: RE: Intrusion Detection

[<Jeremy_Powell () sbcss k12 ca us>]

Post compromise detection, especially if the compromiser is employing root
kit type functionality can be almost impossible from the compromised system
itself as long as it is still running the compromised system software.
Frequently, you will have to boot from a forensics based system to assess the
state of a suspect system.  Determining that a system is suspect and in need
of such treatment is equally difficult, but frequently the compromiser will
use the compromised system to go after bigger fish or to distribute sotware
or run some unexpected server functionality.  Some tools we have found useful
in noticing computers doing both legitimate and illegitimate unexpected
things include:

1) Regular or automated log management and analysis
2) Flow capture and analysis such as with ipcad and the flow tools from
splintered.net
3) An internal Intrustion detection system is helpful in observing the spread
of compromise that either made it unnoticed into the organization or began
internally and was targetted internally.
4) Vulnerability scanners such as Nessus often turn up unexpected
functionality on a system that is either compromise, misconfiguration, or
ignorance.

Here are some URLs:

http://lionet.info/ipcad/
http://www.splintered.net/sw/flow-tools/
http://www.nessus.org
http://www.frozentech.com/content/livecd.php?pick=All&sort=&showonly=forensic
s

I know my list is decidely UN*X based you can find windows based tools as
well.

Jeremy Powell



> -----Original Message-----
> From: David Robert [mailto:david31900 () rogers com] 
> Sent: Sunday, July 09, 2006 7:46 PM
> To: webappsec () securityfocus com
> Subject: Intrusion Detection
>
> Hello all,
>
> I've been reading this list for some time and I can't help 
> but notice that there is a lot of information and discussion 
> about securing systems, but very little about how to detect 
> if you *are* compromised.
>
> This one of my major concerns.  I can advocate all kinds of 
> practices and procedures, but eventually someone will get 
> through.  So how can I tell?
> Especially if they are trying not to leave traces?
>
> Is there a few very simple, dumb things that everyone should 
> do in this regard?  If so, then I haven't heard them.  If you 
> could list them, or point me to some good resources, it would 
> be much appreciated.
>
> Thanks,
>
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> Securing a web application goes far beyond testing the 
> application using manual processes, or by using automated 
> systems and tools. Watchfire's "Web Application Security: 
> Automated Scanning or Manual Penetration Testing?" whitepaper 
> examines a few vulnerability detection methods - specifically 
> comparing and contrasting manual penetration testing with 
> automated scanning tools. Download it today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
0000008Vmm
> --------------------------------------------------------------
> ------------
-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------