Effective intrusion detection software for NT

1 view
Skip to first unread message

PM Drake

unread,
Nov 5, 1999, 3:00:00 AM11/5/99
to
Has anyone had any good/bad experience with instrusion detection software
for NT-based networks that they wouldn't mind sharing? I am aware of Black
Ice and Tripwire as frequently used packages, but I am looking for some
feedback on what has worked well for anyone out there.

Thanks in advance for your help.

D. Brown

unread,
Nov 6, 1999, 3:00:00 AM11/6/99
to
I use Black Ice on my workstation and servers at work and my systems at
home. It's great! It's detected several attacks my systems recieved over
the Net and logged them all well enough for me to report them to their
respective ISPs.

PM Drake <PMD...@nospam.hotmail.com> wrote in message
news:3822...@news.nwlink.com...

ShockwaveRider

unread,
Nov 7, 1999, 3:00:00 AM11/7/99
to
PMDrake:
I also use BID on both win9x and NT PC's and it works fine as Dbrown said.....

Duncan Simpson

unread,
Nov 10, 1999, 3:00:00 AM11/10/99
to

>I use Black Ice on my workstation and servers at work and my systems at
>home. It's great! It's detected several attacks my systems recieved over
>the Net and logged them all well enough for me to report them to their
>respective ISPs.

I am afraid this probably had no effect because predicting TCP
conenctions initial sequence numbers and so forth is triival when the
remote system is any version of windows. Thus most ISPs will not
consider the source IP numbers, including any element of the source
route if recorded, as serious evidence.

If you gave them logs via a Linux or other box that uses highly
unpredicatble sequence nuymbers and does not allow source routing you
have some hope. Almost all unicies, appropiately figured, have been in
this category for many years. Having said that, lots of attacks all
implicating the same person, might work if the attacker gets IP
addresses randomly from a pool. If this is the case then the attacker
is definately a clueless script kiddie.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

Harlan Carvey, CISSP

unread,
Nov 10, 1999, 3:00:00 AM11/10/99
to
> I am afraid this probably had no effect because predicting TCP
> conenctions initial sequence numbers and so forth is triival when the
> remote system is any version of windows. Thus most ISPs will not
> consider the source IP numbers, including any element of the source
> route if recorded, as serious evidence.

Duncan,

If you would, please, could you tell me what tools would be used by a script
kiddie to conduct a successful unauthorized access of an NT box, using the
predictable TCP ISNs you mentioned? I am seriously interested in knowing
of any tool that is available that will allow someone to launch a successful
attack.

Carv


Aviram Jenik

unread,
Nov 12, 1999, 3:00:00 AM11/12/99
to
Hi.

You might want to take a look at hunt:
http://www.securiteam.com/tools/Hunt__a_new_Hijacking_software.html

And Juggernaut:
http://www.securiteam.com/tools/Juggernaut__a_session_hijacking_tool.html

Although I haven't tried them against NT, there's no reason why it shouldn't
work as well as it does against UNIX.

--
-------------------------
Aviram Jenik
SecuriTeam
http://www.SecuriTeam.com


"Harlan Carvey, CISSP" <carv...@patriot.net> wrote in message
news:3829FDA7...@patriot.net...

RONIN

unread,
Dec 6, 1999, 3:00:00 AM12/6/99
to
Well it will be great if you can tellme where i can take alook at this
programs.
As from my experience i used Retina.
Check this out from www.eeye.com
Please send feedback to e-mail too...
thanks..

Memento Mori...
-=RONIN=-

Gary McKinnon

unread,
Dec 22, 1999, 3:00:00 AM12/22/99
to
RealSecure from www.iss.net is probably the best, but i've only tried
the demo. The US Navy use that and only that, but then, they really
need it.

Regards,

Gary ;+}

On Mon, 6 Dec 1999 17:08:53 +0200, RONIN <st...@ronin.widenet.co.il>
wrote:

WinterMute

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to

Whatever happened to a knowledgeable sysadmin locking down his
box and reviewing his log files?


Jeff Cochran

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
>Whatever happened to a knowledgeable sysadmin locking down his
>box and reviewing his log files?

Log files can be edited. Also, NT log files don't tell the whole
story, most information needed to trace and/or trap an intruder isn't
there. Plus, once you've found the intrusion, knowing what was done
to the system can be critical in recovering from the intrusion.

Jeff


Gareth Jones

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
WinterMute <carv...@patriot.net> wrote:

>Whatever happened to a knowledgeable sysadmin locking down his
>box and reviewing his log files?

He went out and bought some tools to make his job easier?

Gareth


Wayde Nie

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
On Thu, 23 Dec 1999, WinterMute wrote:

> I agree with you, but an NT system can be locked down well enough to
> prevent unauthorized
> access in the first place...or at least, make it a non-trivial exercise.

Reading NTBugTraq might quickly cure you of this misconception...

Happy Holiday's all,
> ----------------------------------------------------------------------- <
> Wayde Nie <
> Software Analyst Computing and Information Services <
> phone: (905)525-9140 ext 23856 McMaster University, CANADA <
> fax: (905)524-5288 ni...@mcmaster.ca <
> -------------------------[\]--->=\o.:---[\]---------------------------- <


WinterMute

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
I agree with you, but an NT system can be locked down well enough to
prevent unauthorized
access in the first place...or at least, make it a non-trivial exercise.

Jeff Cochran wrote:

> >Whatever happened to a knowledgeable sysadmin locking down his
> >box and reviewing his log files?
>

WinterMute

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to
Sorry, no, Wayde...I've been reviewing NTBugTraq regularly for quite a while...

and I haven't wavered yet.

Wayde Nie wrote:

> On Thu, 23 Dec 1999, WinterMute wrote:
>

> > I agree with you, but an NT system can be locked down well enough to
> > prevent unauthorized
> > access in the first place...or at least, make it a non-trivial exercise.
>

Craig B. Olofson

unread,
Dec 23, 1999, 3:00:00 AM12/23/99
to

Wayde Nie wrote:
>
> On Thu, 23 Dec 1999, WinterMute wrote:
>
> > I agree with you, but an NT system can be locked down well enough to
> > prevent unauthorized
> > access in the first place...or at least, make it a non-trivial exercise.
>
> Reading NTBugTraq might quickly cure you of this misconception...
>

That's what I'd thought coming from the Unix community but, after having
started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
place.

cheers,
Craig

ES

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
touche


Gareth Jones <gar...@uberdog.net> wrote in message
news:386673c4....@news.giganews.com...


> WinterMute <carv...@patriot.net> wrote:
>
> >Whatever happened to a knowledgeable sysadmin locking down his
> >box and reviewing his log files?
>

WinterMute

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to
> That's what I'd thought coming from the Unix community but, after having
> started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
> place.

I like the book...only argument I have is that it's really light on null sessions
in the
enumeration section.

Wayde Nie

unread,
Dec 24, 1999, 3:00:00 AM12/24/99
to

> > Reading NTBugTraq might quickly cure you of this misconception...
>
> That's what I'd thought coming from the Unix community but, after having
> started _Hacking_Exposed_, NT looks a lot better...w/proper measures in
> place.

Maybe... I'm not saying that Unix, or any other OS for that matter is
better in this respect. It's just my opinion that intrusion detection
software is an import part of Internet host security, and getting more
important all the time.

People put locks on their windows and doors to keep others out, but more
and more people are putting in alarm systems as well so that they know
when someone came in...

Happy Holidays,

Richard Ballard

unread,
Dec 25, 1999, 3:00:00 AM12/25/99
to
What is NTBugTraq?

What is _Hacking_Exposed_?

Thanks in advance.

"Craig B. Olofson" <cra...@puck.org> writes:

>> > I agree with you, but an NT system can be locked down
>> > well enough to prevent unauthorized access in the first
>> > place...or at least, make it a non-trivial exercise.
>>

>> Reading NTBugTraq might quickly cure you of this
>> misconception...
>
>That's what I'd thought coming from the Unix community but,
>after having started _Hacking_Exposed_, NT looks a lot
>better...w/proper measures in place.

Richard Ballard CNA4 KD0AZ


Craig B. Olofson

unread,
Dec 25, 1999, 3:00:00 AM12/25/99
to
Richard Ballard wrote:
>
> What is NTBugTraq?
>
> What is _Hacking_Exposed_?
>
> Thanks in advance.
>

1) NTBugTraq is a web site. www.ntbugtraq.com

2) _Hacking_Exposed_ is a book. _Hacking_Exposed_: Network Security
Secrets & Solutions, Stuart McClure et al, Osborne Press, Berkeley CA,
1999. ISBN 0-07-212127-0

The subject header provides the context.

Happy Hunting,

Craig

Jerry Leslie

unread,
Dec 28, 1999, 3:00:00 AM12/28/99
to
Richard Ballard (rball...@aol.com) wrote:
: What is NTBugTraq?

A mailing list for NT security bugs and exploits

http://www.ntbugtraq.com/
NTBugtraq - NTBugtraq Home

: What is _Hacking_Exposed_?

A book:

http://www.sanctury.com/book/0/122/30693.html
Hacking Exposed: Network Security Secrets and Solutions

--Jerry Leslie (my opinions are strictly my own)

Reply all
Reply to author
Forward
0 new messages