Effective intrusion detection software for NT
PM Drake
for NT-based networks that they wouldn't mind sharing? I am aware of Black
Ice and Tripwire as frequently used packages, but I am looking for some
feedback on what has worked well for anyone out there.
Thanks in advance for your help.
D. Brown
home. It's great! It's detected several attacks my systems recieved over
the Net and logged them all well enough for me to report them to their
respective ISPs.
PM Drake <PMD...@nospam.hotmail.com> wrote in message
news:3822...@news.nwlink.com...
ShockwaveRider
I also use BID on both win9x and NT PC's and it works fine as Dbrown said.....
Duncan Simpson
>I use Black Ice on my workstation and servers at work and my systems at
>home. It's great! It's detected several attacks my systems recieved over
>the Net and logged them all well enough for me to report them to their
>respective ISPs.
I am afraid this probably had no effect because predicting TCP
conenctions initial sequence numbers and so forth is triival when the
remote system is any version of windows. Thus most ISPs will not
consider the source IP numbers, including any element of the source
route if recorded, as serious evidence.
If you gave them logs via a Linux or other box that uses highly
unpredicatble sequence nuymbers and does not allow source routing you
have some hope. Almost all unicies, appropiately figured, have been in
this category for many years. Having said that, lots of attacks all
implicating the same person, might work if the attacker gets IP
addresses randomly from a pool. If this is the case then the attacker
is definately a clueless script kiddie.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
Harlan Carvey, CISSP
> conenctions initial sequence numbers and so forth is triival when the
> remote system is any version of windows. Thus most ISPs will not
> consider the source IP numbers, including any element of the source
> route if recorded, as serious evidence.
Duncan,
If you would, please, could you tell me what tools would be used by a script
kiddie to conduct a successful unauthorized access of an NT box, using the
predictable TCP ISNs you mentioned? I am seriously interested in knowing
of any tool that is available that will allow someone to launch a successful
attack.
Carv
Aviram Jenik
You might want to take a look at hunt:
http://www.securiteam.com/tools/Hunt__a_new_Hijacking_software.html
And Juggernaut:
http://www.securiteam.com/tools/Juggernaut__a_session_hijacking_tool.html
Although I haven't tried them against NT, there's no reason why it shouldn't
work as well as it does against UNIX.
--
-------------------------
Aviram Jenik
SecuriTeam
http://www.SecuriTeam.com
"Harlan Carvey, CISSP" <carv...@patriot.net> wrote in message
news:3829FDA7...@patriot.net...
RONIN
programs.
As from my experience i used Retina.
Check this out from www.eeye.com
Please send feedback to e-mail too...
thanks..
Memento Mori...
-=RONIN=-
Gary McKinnon
the demo. The US Navy use that and only that, but then, they really
need it.
Regards,
Gary ;+}
On Mon, 6 Dec 1999 17:08:53 +0200, RONIN <st...@ronin.widenet.co.il>
wrote:
WinterMute
Whatever happened to a knowledgeable sysadmin locking down his
box and reviewing his log files?
Jeff Cochran
>box and reviewing his log files?
Log files can be edited. Also, NT log files don't tell the whole
story, most information needed to trace and/or trap an intruder isn't
there. Plus, once you've found the intrusion, knowing what was done
to the system can be critical in recovering from the intrusion.
Jeff
Gareth Jones
>Whatever happened to a knowledgeable sysadmin locking down his
>box and reviewing his log files?
He went out and bought some tools to make his job easier?
Gareth
Wayde Nie
> I agree with you, but an NT system can be locked down well enough to
> prevent unauthorized
> access in the first place...or at least, make it a non-trivial exercise.
Reading NTBugTraq might quickly cure you of this misconception...
Happy Holiday's all,
> ----------------------------------------------------------------------- <
> Wayde Nie <
> Software Analyst Computing and Information Services <
> phone: (905)525-9140 ext 23856 McMaster University, CANADA <
> fax: (905)524-5288 ni...@mcmaster.ca <
> -------------------------[\]--->=\o.:---[\]---------------------------- <
WinterMute
prevent unauthorized
access in the first place...or at least, make it a non-trivial exercise.
Jeff Cochran wrote:
> >Whatever happened to a knowledgeable sysadmin locking down his
> >box and reviewing his log files?
>
WinterMute
and I haven't wavered yet.
Wayde Nie wrote:
> On Thu, 23 Dec 1999, WinterMute wrote:
>
> > I agree with you, but an NT system can be locked down well enough to
> > prevent unauthorized
> > access in the first place...or at least, make it a non-trivial exercise.
>
Craig B. Olofson
Wayde Nie wrote:
>
> On Thu, 23 Dec 1999, WinterMute wrote:
>
> > I agree with you, but an NT system can be locked down well enough to
> > prevent unauthorized
> > access in the first place...or at least, make it a non-trivial exercise.
>
> Reading NTBugTraq might quickly cure you of this misconception...
>
That's what I'd thought coming from the Unix community but, after having
started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
place.
cheers,
Craig
ES
Gareth Jones <gar...@uberdog.net> wrote in message
news:386673c4....@news.giganews.com...
> WinterMute <carv...@patriot.net> wrote:
>
> >Whatever happened to a knowledgeable sysadmin locking down his
> >box and reviewing his log files?
>
WinterMute
> started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
> place.
I like the book...only argument I have is that it's really light on null sessions
in the
enumeration section.
Wayde Nie
> > Reading NTBugTraq might quickly cure you of this misconception...
>
> started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
> place.
Maybe... I'm not saying that Unix, or any other OS for that matter is
better in this respect. It's just my opinion that intrusion detection
software is an import part of Internet host security, and getting more
important all the time.
People put locks on their windows and doors to keep others out, but more
and more people are putting in alarm systems as well so that they know
when someone came in...
Happy Holidays,
Richard Ballard
What is _Hacking_Exposed_?
Thanks in advance.
"Craig B. Olofson" <cra...@puck.org> writes:
>> > I agree with you, but an NT system can be locked down
>> > well enough to prevent unauthorized access in the first
>> > place...or at least, make it a non-trivial exercise.
>>
>> Reading NTBugTraq might quickly cure you of this
>> misconception...
>
>That's what I'd thought coming from the Unix community but,
>after having started _Hacking_Exposed_, NT looks a lot
>better...w/proper measures in place.
Richard Ballard CNA4 KD0AZ
Craig B. Olofson
>
> What is NTBugTraq?
>
> What is _Hacking_Exposed_?
>
> Thanks in advance.
>
1) NTBugTraq is a web site. www.ntbugtraq.com
2) _Hacking_Exposed_ is a book. _Hacking_Exposed_: Network Security
Secrets & Solutions, Stuart McClure et al, Osborne Press, Berkeley CA,
1999. ISBN 0-07-212127-0
The subject header provides the context.
Happy Hunting,
Craig
Jerry Leslie
: What is NTBugTraq?
A mailing list for NT security bugs and exploits
http://www.ntbugtraq.com/
NTBugtraq - NTBugtraq Home
: What is _Hacking_Exposed_?
A book:
http://www.sanctury.com/book/0/122/30693.html
Hacking Exposed: Network Security Secrets and Solutions
--Jerry Leslie (my opinions are strictly my own)