Archive for Intrusion Detection
Author: Myrcurial
November 27, 2007 at 10:49 am · Filed under Education, Forensics, Hardware, Intrusion Detection, Tools
Ok everyone, here’s your chance to comment, make yourself heard, voice an opinion, tell me I don’t know what the heck I’m talking about.
The question:
Using as little money as possible, assemble a list of tools (software, hardware, wetware or other) which would serve the needs of a CSIRT in time of crisis.
Lets call the time limit for responses Thursday, November 29th 2007 at 19:00EST. At that point, I’ll summarize and wrap up.
For my picks, please see comments below.
Tags: open loops, challenge, CSIRT, toolkit, hardware, software, wetware
Author: Dave Lewis
April 30, 2007 at 9:38 am · Filed under Firewalls, Intrusion Detection
In Check Point’s never ending quest to rule the security world, they announced today their IPS solution. Check Point is a world leader in firewall technology. They have recently made a great number of purchases, such as encryption provider PointSec, which I think were brilliant moves on their part.
Today’s announcement heralds the “what-could-have-been” for the failed Sourcefire purchase. I firmly believe that the blocking of this purchase by the Committee on Foreign Investments was political payback for their refusal to open their source code. A sad result.
With this addition to the Check Point arsenal we will see a greater push to the “one vendor to rule them all” approach that was talked about at the RSA Conference 2007 in San Francisco. The solution, a rebranded NFR, extends Check Point into yet another aspect of the security market that they had not really been in prior. I see Check Point as a provider that can deliver a lot of great products. Their firewall is rock solid. Mind you, the SMTP queue on the firewall is for shit. But, by and large this company has itself on a positive path.
Now, if they could just get their licensing models unf*cked.
Article Link
Tags: Check Point, IPS-1, Intrusion Prevention, IDS, NFR
Author: Dave Lewis
February 20, 2007 at 9:26 am · Filed under Intrusion Detection, Vulnerability
From ISS X-Force:
Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.
Article Link
Tags: Snort, IDS, Buffer Overflow
Author: Dave Lewis
November 30, 2006 at 7:53 pm · Filed under Intrusion Detection
We recently heard rumblings about open source security provider Sourcefire might be going public. Today we here at Security Digest heard confirmation from their Canadian rep that the company will in fact be going public in 2007. This is some good news for the company after the US government blocked the attempted purchase by Checkpoint Software Technologies. This is an interesting IPO. Sourcefire is the first open source company to go public since 1998 and the first security vendor to go public since 2001.
“The SNORT® open source intrusion prevention and detection technology was created in 1998 by Martin Roesch, the founder of Sourcefire. With its dramatic speed, power and performance, Snort® quickly gained momentum to become the single most widely deployed intrusion prevention and detection technology in the world.”
Here is the link to their SEC filing. Here is a less than motivational quote from the “certain risk” section “As we have had operating losses since our inception and we expect operating expenses to increase in the foreseeable future, we may never reach or maintain profitability.”
Now, where’s my brokers number?
UPDATE: Wow, I really missed the boat on this one. People having been talking about this one for over a month now…sigh.
Site Link
Tags: Sourcefire, Checkpoint, IPO, Snort
Author: Dave Lewis
November 18, 2006 at 7:25 pm · Filed under Intrusion Detection
The Snort Team is pleased to announce the availability of Snort v2.6.1. The software and source code is available at:
http://www.snort.org/dl/
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
And:
* Bug fixes and performance improvements
Article Link
Tags: Snort, Intrusion Detection, IDS, Open Source IDS
Author: Dave Lewis
November 15, 2006 at 7:40 pm · Filed under Intrusion Detection
I have been a great fan of Nokia based appliances for a long time now. I myself have had great luck with these systems. Only once in the last five years have I had an issue and that was when a hard drive failed. Today Nokia has announced the release of a security appliance based on Sourcefire’s SNORT software.
The product uses three methods for blocking threats. Sourcefire Intrusion Sensor for Nokia uses the Snort detection engine to inspect incoming traffic for problems, generate alerts and block traffic. The software examines packets using signature, protocol and anomaly-based inspection methods.
The appliance also uses Sourcefire Real-Time Network Awareness for Nokia to do intelligent network monitoring. Information gathered by the monitoring software can be used to remediate an attack.
The price tag on the new appliance is a little painful at $14,995 US.
Article Link
Tags: Nokia, Sourcefire, SNORT, Intrusion Detection
Author: Dave Lewis
August 23, 2006 at 10:58 pm · Filed under Intrusion Detection, News
If you are in the security space and haven’t heard about this…hold on. IBM, big blue, has bought up Internet Security Systems. This is something that I should have, in retrospect, seen coming. But, this one managed to catch me off guard when I read it this morning.
I had a couple of conversations with folks at ISS and IBM and they are all extremely excited about this purchase. In all likelihood this will go forward. I have a hard time believing that this will suffer the fate of the Checkpoint/Sourcefire screw job. This is bigger than RSA being scooped by EMC or @tstake by Symantec. This will be a spring board that will allow IBM to take a serious run at taking a huge chunk of the MSSP market.
Great choice IBM!
Article Link
Tags: IBM Acquisition, ISS Purchased, RSA, Checkpoint
Author: Dave Lewis
August 1, 2006 at 12:18 am · Filed under Intrusion Detection
The folks over at Bleeding Snort have issued an alert on domain issues. It turns out that one of the URLs that they owned the rights to appears to have lapsed and was scooped up by a group that might potentially be using it to distribute malware. Here is the passage from their site on the domain issue.
We’ve never used bleedingsnort.org as a distributed link, but some people in the past had assumed that was the domain (org vs com), so we had owned the domain.
Somehow I let that domain expire and someone picked it up on the 27th, it’s now got the standard crap trying to distribute malware and search crud.
So a reminder: If you hit that, it’s not us. Our primary domain is and always has been bleedingsnort.com.
Article Link
Tags: Bleeding Snort, Snort, Domain Hijack, Malware
Explore
Security Bloggers Network
