Re: Good source of intrusion detection and response steps? -reply

[mht () clark net (mht () clark net)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Hmm, I wonder who contributed to the nice informational pages at Network 
ICE..:)

/m

At 09:13 AM 3/24/00 -0800, Robert Graham wrote:
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> --- Matt Baney <baney () shai-seattle com> wrote:
> > What are the best sources for detailed (ie. step by step ) information for
> > detecting and responding to intrusions?  I'm looking for something that is
> > more
> > detailed than the CERT advisories, and that may also contain response and
> > forensic details.  Something that might includes the necessary steps to
> > detect
> > an intrusion and also provide the necessary response steps to stop or 
> negate
> > the
> > intrusion while preserving forensic information that would be necessary for
> > legal action or be useful in identifying the perpetrator or source of the
> > attack.
> > Does this kind of information exist anywhere?
>
> The best source of this information is the bugtraq vulnerabilities database:
> http://www.securityfocus.com/vdb/
> If a vulnerability occurs, it eventually gets discussed on bugtraq. It is also
> the most up-to-date information. If you are using an IDS and it doesn't point
> to the bugtraq info, then shame on them.
>
> There is the CVE effort attempts to standardize the names of vulnerabilities
> among different vendors:
> http://cve.mitre.org/
> But unfortunately, it is really just a way to correlate info among vendors
> rather than containing information itself.
>
> Some vendors of IDSs maintain databases:
> http://advice.networkice.com/advice/intrusions
> http://xforce.iss.net
> http://www.whitehats.com
>
> I particularly proud of the job that Network ICE does. It spends a lot of time
> describing in plain english to the less technical user what the intrusion
> means, and providing links to other resources that experts can drill down 
> into.
> Examples:
> http://advice.networkice.com/advice/concordance/BugtraqID/
> http://advice.networkice.com/advice/Intrusions/2003017/
> Our website is rather more popular than either bugtraq's or xforce's, too :-)
>
> Robert Graham
> CTO/Network ICE
>
>
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com