Intrusion Detection Systems mailing list archives
Re: Good source of intrusion detection and response steps?
From: baney () shai-seattle com (Matt Baney)
Date: Mon, 27 Mar 2000 11:10:49 -0800
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au I think I worded my original question poorly or wasn't very clear. What I'm looking for would be something more like a cookbook solution for Attack-X given a certain system configuration and IDS tools available. Kind of like "if I have a 10 node network, half unix, half NT, a firewall, a network packet sniffer, and a couple different IDS tools (BlackIce, NFR, RealSecure, Tripwire, Dragon, ??, etc), when Attack-X happens, what will I likely see happen first, what alarms, warnings, popup messages, email messages, etc.. What should I do after the initial warnings, what steps should I take to preserve as much evidence as possible but at the same time detect and stop the intrusion, and which tools are best for which steps." I'd kind of like to find similar descriptions/details for several different attacks using several different tools. I realize the the "which tools are best for which steps" is rather arbitrary and obviously biased towards the reader or users "favorite" tools. And I also realize that this information might not exist anywhere? Maybe what I'm looking for is kind of a detailed tutorial for each IDS or system tool, maybe this is something that comes from teh vendor when you purchase or install a system. I guess what I'm looking for is an expansion of the vulnerability/attack database idea, that contains vendor/tool specific information about what the user would see when this attack happens, and instructions of how to respond to the attack? Matt Baney wrote:
----------------------------------------------------------------------------- What are the best sources for detailed (ie. step by step ) information for detecting and responding to intrusions? I'm looking for something that is more detailed than the CERT advisories, and that may also contain response and forensic details. Something that might includes the necessary steps to detect an intrusion and also provide the necessary response steps to stop or negate the intrusion while preserving forensic information that would be necessary for legal action or be useful in identifying the perpetrator or source of the attack. Does this kind of information exist anywhere? Thanks Matt -- Matt Baney (206)-545-2941 SHAI Seattle, Washington baney () shai-seattle com ------------------------------------------------------- Its hard to predict the unpredictable.
Current thread:
- Source port of Samba Scans? Daniel Swan (Mar 10)
- <Possible follow-ups>
- Re: Source port of Samba Scans? Robert Graham (Mar 10)
- Re: Source port of Samba Scans? Daniel Swan (Mar 10)
- Re: Source port of Samba Scans? Stuart Staniford-Chen (Mar 11)
- comparison of NFR vs RealSecure Thomas Nau (Mar 12)
- Re: comparison of NFR vs RealSecure Talisker (Mar 19)
- Good source of intrusion detection and response steps? Matt Baney (Mar 24)
- Re: Good source of intrusion detection and response steps? Stuart Staniford-Chen (Mar 24)
- Re: Good source of intrusion detection and response steps? Matt Baney (Mar 27)
- question tongchangda (Mar 19)
- Shomit Tap Documentation Jackie Chan (Mar 21)
- Last call for paper - Raid 2000 - Deadline is March 31st Herve Debar (Mar 21)
- Last call for paper - Raid 2000 - Deadline is March 31st Herve Debar (Mar 21)
- Shomit Tap Documentation (fwd) Jackie Chan (Mar 21)
- Mime-Version: 1.0 Lars Olby (Mar 21)
- general questions Lars Olby (Mar 21)
- Freeware ICMP Network Monitor Needed Talisker (Mar 21)
- Re: Freeware ICMP Network Monitor Needed Jonas Eriksson (Mar 22)
- Re: Freeware ICMP Network Monitor Needed Jesse Nelson (Mar 25)