Benjamin Smith wrote:
> (I know this overlaps with the Intrusion detection list, but I think
> that reacting to people knocking on your front door is also a
> firewalls issue)
Got kicked of that list, so can't discuss it there anyway. They are a
snotty lot, who would never be seen with rolled up shirt sleeves.
> The other thing that you have to decide for your detector is the
> time frame to look at. Courtney (or at least 1.0--I haven't looked
> at 1.1 yet) looks at connections over the last 7 minutes. All you
> need to do to break this is slow Satan down with the equivilent of a
> bunch of sleep()s and Courtney wouldn't see ...
...
> and a version that looks at all connections over the last day, week,
> whatever, that tries to catch the sneaky, patient cracker.
Yes, thought of that. Wrote some code to look at a week's worth of logs
for a slow attack. No sign of S.., but it showed up some sneaky dood
making 3 attempts to hack mail, once an hour, then disappearing for
21 hours.
> Of course if he was really sneaky, he'd run his version of Satan
> (or his equivalent) issuing one detectable event from a different
> site over a long span of time...
At least one person reading this list has a security research tool that
changes its own IP address for every probe that it makes, and they got it
from someone that doesn't read the list. Can't let a tool like that fall
into the hands of the military, CERT, CIAC, DISA, Ferengi or Borg, because
they would undoubtedly use it to attack the home worlds.
Sick Puppy
!USAF Electronic Warfare Center
Eindhoven, Netherlands
|
|
