Intrusion Detection Systems mailing list archives

Re: Good source of intrusion detection and response steps?

From: blue0ne () igloo org (Jackie Chan)
Date: Fri, 24 Mar 2000 18:02:09 -0500 (EST)


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Matt,
        I have yet to hear about any cases in which computer forensical
evidence was composed of IDS logs.  Not to say that a type III wire tap
has not been used in the network monitoring sense.  The problem seems to
be that most IDS are commercial products intended to raise the level of
awareness of IT professionals to detrimental activity on the network, not
necessarily to assist in the prosecution of the individual responsible.

Obviously, it is logical to assume that IDS logs would be very helpful in
an investigation as it shows how the investigative personnel were alerted
to the malicious activity (not merely focusing on an individual without
cause as this is illegal).  The true forensic evidence, however comes from
the damaged resource, such as the web server or compromised
Database.  This could be in the form of audit logs, (which have a much
lower rate of false positives).  

The Navy has successfully used IDS during an investigation, however the
IDS was placed into operation especially for the investigation, and
removed promptly thereafter.  The IDS was tuned to look for specific user
signatures so as to track the entire session for later review.  

I agree that some standards need to be determined, and then tested by case
law before we can have a  true 'answer'.  Until that time however, some
pointers for handling of forensic evidence can be noted:

        1.  Limit the amount of people who have knowledge about the
incident or investigation.

        2.  Utilize TPI or Two Person Integrity.  Always have a witness to
sensitive tasks such as backing up of investigative data, signing Chain of
Custody Reports, accessing properly stored evidence, etc.

        3.  In no way access the media in question (hard drives) without
first making a complete Bit Image backup for custodial storage.

        4.  Lastly, always maintain the highest level of privacy and
professionalism for the suspect being monitored.  If not, it can come back
to haunt you.

In no way is this a complete list of items.  In many cases, an informal
investigation can be accomplished resulting in termination of an employee
without any traditional law enforcement involvement.  However, some cases
may call for outside intervention, and it is your responsibility to notify
authorities if the particular activity is clearly a criminal act such as
extortion.

I refer you to some documents from the Network Security Wizards that may
be useful for antecdotal information.  However acquiring professional
assitance for developing a legally accredited policy for intrusion
detection and incident response is advised.

http://www.securitywizards.com/papers/probes.html

http://www.securitywizards.com/papers/net.html

Cheers,

blue0ne

Thanks for the pointers to the vulnerability databases, and the web links.  I've
seen all those sites previously, and thats not what I'm looking for.  Like I said
I'm looking for some specific details or instructions on how to use a tool to find
an intrusion, detect the intruder, preserve evidence of the intrusion, preserve
evidence about the identity of the intruder or source of the intrusion, and stop
the intrusion.

I'm not intersested in things like:
  "If you have version 123.4 or earlier of BlahBlahBlahFirewall, then download and
install Patch765.4 from the vendor to close the BlobbityBlob vulnerability".

I'd like something like:
  -SuperDuperIDSTool detects a BlobbityBlob intrusion, and
           displays a warning message in the log window
  -Click the Warning message to view the intrusion details
  -Open a command window
  - cd to the parent directory specified in the intrusion details
  - do a detailed listing of the intruded directory and place the results in
evidence.dat
  - save the directory history file into evidence.dat
  - verify the existence of the files specified in the intrusion details
  - delete the files specified in the intrusion details
  - if the specified files are not found, verify the status of the directoryListing
tool.

Maybe something more like a checklist for an intrusion?  It seems like this might
be pretty tool specific so maybe nothing like this exists anywhere?  I'm not very
familiar with using IDS tools, maybe they don't have this functionality or work
this way?  Or maybe the vendors already provide this kind of instruction?


--
Matt Baney                               (206)-545-2941
SHAI  Seattle, Washington        baney () shai-seattle com
-------------------------------------------------------
Its hard to predict the unpredictable.

Current thread:

Re: Good source of intrusion detection and response steps? Robert Graham (Mar 24)
- Re: Good source of intrusion detection and response steps? -reply mht () clark net (Mar 24)
- Re: Good source of intrusion detection and response steps? Matt Baney (Mar 24)
  - Re: Good source of intrusion detection and response steps? Jackie Chan (Mar 24)
    - Re: Good source of intrusion detection and response steps? Philippe Bourgeois (Mar 27)
    - IDS for Win2k Martins, Fernando (Lisbon) (Mar 27)
    - Re: IDS for Win2k Greg Shipley (Mar 27)
  - a novice question. RajKumar S. (Mar 24)
    - Re: a novice question. Jackie Chan (Mar 25)
    - Re: a novice question. Stuart Staniford-Chen (Mar 25)
    - Re: a novice question. Jackie Chan (Mar 25)
    - Intruder Alert Chad Harrington (Mar 25)
    - CERT advisories,.. Koriun Margaryan (Mar 28)
    - RE: CERT advisories,.. Peter Kelly (Mar 28)

(Thread continues...)