RE: Good source of intrusion detection and response steps?

[FKnobbe () Home com (Frank Knobbe at Home)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Matt Baney [mailto:baney () shai-seattle com]
> Sent: Monday, March 27, 2000 1:11 PM
>
> I think I worded my original question poorly or wasn't very clear.
>
> What I'm looking for would be something more like a cookbook 
> solution for Attack-X
> given a certain system configuration and IDS tools available. 

Matt,

I don't think there is an 'Attack-X'. Each incident is different. One
good thing about the recent DDoS attacks was that they all used the
same software (tfn, stacheldraht, etc), so the appearance, signature
and recognition were the same. But if you compare different intrusion
scenarios, they all differ.

I suggest you group the tools into categories, i.e. disk based
analysis, network based analysis, etc, and then pick your favorite
tool from each category. Your favorite tool is the one with the least
learning curve, the most flexibility, the one you can use in an
instant without much effort (oh, and which you can afford :)

> What should 
> I do after the initial
> warnings, what steps should I take to preserve as much 
> evidence as possible but at
> the same time detect and stop the intrusion, 

It is not always a good thing to stop the intrusion. This greatly
depends on the scenario. You might pull the plug and investigate
what's left (typically hard drive content analysis), or you might
isolate the system, but leave the attacker working on it and monitor
the system (typically network traffic content analysis).

In regards to the procedure, we already listed several links. 

> [...]
> I guess what I'm looking for is an expansion of the 
> vulnerability/attack database
> idea, that contains vendor/tool specific information about 
> what the user would see
> when this attack happens, and instructions of how to respond 
> to the attack?

Actually, that is a great idea. I think we could use a database that
lists intrusions and the steps (and tools) used to investigate it.
Security is still a folk art, and we all learn by experience. We also
try to learn from each other (in security probably more so than in
any other information technology category), and such a intrusion
roster would be a great idea (of course stripped of the names of
companies, etc).

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOPDIEURKym0LjhFcEQKiMgCZAT5GP5GPdkG3XMCLwAVekCTjSLUAn0X3
unYILDqq8svBxFMEhEaIAliV
=4i65
-----END PGP SIGNATURE-----