On May 12, "Jake-F Harwood" wrote:
> At 01:21 PM 5/12/2005 -0700, Tom Holub wrote:
> >
> >If the hackers are actually accomplishing anything (that is, if their
> >FTP server or back door is available to the net), SNS should be able
> >to scan for them.
Another point here is that it's not easy for SNS to scan every port on
every box on campus. Even the fancy-pants software they're evaling
doesn't do that quickly.
> that is very much like sticking your head in a hole, to keep from being
> eaten by a lion.
>
> hears an example thats not too uncommon. ,
>
> you got hacked, (you can pick how),
>
> the payload installs multiple evil things, like
>
> ftp server, (seen on the network, and thr IDS)
>
> Ident server, (seen on the network, and thr IDS)
>
> key collector and password sniffer which sends it's results back thr
> emaill, http posts, or DNS quares, (not seen on the network, but seen thr IDS)
>
> and a back door that is available to the net (seen on the network. old
> school.) or maybe a back door that uses some type of back connection to
> bypass host basded firewalls. (like hacke defender, or the like, new
> school). (not seen on the network, but seen thr IDS)
>
> in that example, your still hosted any way you look at it.
>
> the ftp servers there, but unusable, We (SNS would most likely see it get
> installed, but would thr iout the alert as a false positives)
>
> if we cant scan the hosts, not only can we tell if theres something up, but
> we cant even tell what OS it is, which also help weed out false positives
> based on OS matching to attacks.
>
> we have pull some passive OS fingerprint stuff into play (and we do), but
> when I or any of the other IDS team are working on alerts, sometimes you
> just need to scan a host to see whats up.
>
> seem's like a lot of good info thr out because your worried about having
> the security groups scanner IP spooffed.
>
> so are your going to block that DNS server allso, I hear theres holes for
> that too.
>
> doesn't that same risk exesict with the holes poked for the campus DNS
> servers?
DNS is something you can write a good firewall rule for; you wouldn't just
whitelist the DNS server, you'd allow traffic from it *in response* to a
query sent by your server.
Today there's apparently a new (or resurgence of an old) worm that effects
people running MS SQL slammer. This is the perfect example of a situation
where having the sns scanner whitelisted means you can get owned: MSSQL
uses UDP, so all I have to do is compromise a box on the local subnet, and
with one frame I've owned your box. Granted, you deserve to be owned for
not patching....
Mike
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu May 12 15:05:57 2005
This archive was generated by hypermail 2.1.8 : Thu May 12 2005 - 15:05:58 PDT