so, shall we get started?

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jim Truitt: "Re: so, shall we get started?"
• Previous message: Frank R. Swift: "Another "Who am I on IDS""
• Next in thread: Jim Truitt: "Re: so, shall we get started?"

Most of the traffic here has been introductions, which are all well and
good, but yow, are we detecting any intruders yet?

I'm going to throw out a couple of "things to watch for" on an IP link,
and hope to see a lot more of it discussed.

I used to work at FTP Software, and used their net monitoring product
with a bunch of configured filters [well, where a "bunch" maxes out at
four] to watch for certain types of packets I was interested in.  I'd
leave several PCs running these "evil detectors", logging things matching
their criteria to the disk for later perusal, and sometimes use "snoop"
for more complex stuff.  For instance:

   any NFS traffic coming from "outside".

   source routed packets.  [ ip[0] != 0x45 ]

   "Inside" machines answering "outside" TCP [i.e. outgoing ACK SYN],
   perhaps limited to high ports <--> high ports [good for finding muds,
   random X traffic, or that instant root shell backdoor someone
   left running on your Marketing server].

   High UDP ports <--> high UDP ports  [traceroute, FSP, ntalk [?]].

   Transit traffic.  [src and dst not for local network]  May also
   indicate packet fakery going on.

Other people might have much more sophisticated gear by now, and can
configure their firewall machines to log anything that violates their
filtering policies.  Would some folks posessing experience with this
newer equipment care to pipe up about the things they've observed?

_H*

• Next message: Jim Truitt: "Re: so, shall we get started?"
• Previous message: Frank R. Swift: "Another "Who am I on IDS""
• Next in thread: Jim Truitt: "Re: so, shall we get started?"