tag:blogger.com,1999:blog-4088979.post8909839150409828410..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: I See YouRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-71576318095834171092007-03-12T16:40:00.000-04:002007-03-12T16:40:00.000-04:00I am happy to see that you are now using ossec. Ho...< QUOTE SNIP ><BR/><BR/>I am happy to see that you are now using ossec. However, in the same way that you have your independent network sensor you should have your independent log server. You should never go directly to the box that generated the alert to look at more logs...<BR/><BR/>< / QS><BR/><BR/>Ouch...indeed. And there's nothing new or cutting edge about a remote log server. Logging to multiple machines is even more insurance.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-6457867374252113182007-02-26T03:55:00.000-05:002007-02-26T03:55:00.000-05:00Hello.Yes its the latest and greatest 31337 attack...Hello.Yes its the latest and greatest 31337 attack.Contact me for details at packetgod[at]gmail.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1727077565864151452007-02-22T06:17:00.000-05:002007-02-22T06:17:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-45433392081638456212007-02-11T13:30:00.000-05:002007-02-11T13:30:00.000-05:00Hi Richard,I am happy to see that you are now usin...Hi Richard,<BR/><BR/>I am happy to see that you are now using ossec. However, in the same way that you have your independent network sensor you should have your independent log server. You should never go directly to the box that generated the alert to look at more logs...<BR/><BR/>In case of an alert like that, you could go to the log server and check for other events from the same IP (same thing you did with Sguil). If you have your firewall logs, you would be able to see all connections (denied and allowed) from this IP or any authentication related event.<BR/><BR/>Thanks,<BR/><BR/>Daniel CidAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91262889178792698732007-02-10T14:54:00.000-05:002007-02-10T14:54:00.000-05:00Anonymous -- not to be rude, but you must be new h...Anonymous -- not to be rude, but you must be new here. I certainly don't rely on alerts as you seem to imply, and neither does my NSM process.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-34979115683822745112007-02-10T11:42:00.000-05:002007-02-10T11:42:00.000-05:00There is one thing to consider, however. You menti...There is one thing to consider, however. You mentioned that Sguil didn't alert on this traffic, which could pose problems if analysts rely on one 'main' tool to begin the investigative process. This has been a long-time problem with IDS tools; if a signature doesn't exist, the security event may not be 'caught'. The longer I work with an IDS centric defense approach, the more I see it as a shortcoming in attempting to detect security events on a network or infrastructure. SAGE SysAdmin #12 "Building a Logging Infrastructure" and "Security Log Management" by Sygnress help to show that IDS data should only be one of several inputs for the alerting process. Unfortunately, Snort doesn't widely detect rate based attacks (DDos, unless looking for a specific type of packet related to one), and could lead to a late arrival in detection and defense. Understandably, nothing will catch everything, however, utilizing tools that rely on 'signatures of known activity' may not be the best approach either. Taking in IDS data, along with other network events (such as traffic throughput and host logs) to generate an alert, and then using session data for verification, may be a better way to tackle the problem.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66558085193683183812007-02-09T14:17:00.000-05:002007-02-09T14:17:00.000-05:00Hey Richard,Is Brazil competing in some cracker ch...Hey Richard,<BR/><BR/>Is Brazil competing in some cracker challenge? :)<BR/><BR/>http://blog.netjitsu.net/2007/02/cisco-ios-display-bug.htmlDustinhttps://www.blogger.com/profile/16977991069783462576noreply@blogger.com