Contributed by jose on from the simple-firewalls dept.
It's nice to see what he is using to keep them out of his LAN....... "
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the simple-firewalls dept.
It's nice to see what he is using to keep them out of his LAN....... "
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Chris Humphries () chris@unixfu.net on http://unixfu.net/
Everyone bought Jose's Worm book?
http://tinyurl.com/yurxq
It is a good book, help support. Don't be a cheap bastid ;)
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Price comparison engines can be your friend if you are cheap. Or maybe I should say enemy? There's one listed there for $95 despite the easy $75 find!
Also keep in mind, that not every book is for every reader. Jose has an OpenBSD book on the way and my guess is it will be more affordable and I believe it's from a different publisher.
By jose () on http://monkey.org/~jose/
just a few thoughts. both of these things will help you keep your network (ie at work) safe from threats. it's all about the generic approach. signature detection is old school, it's quickly becoming irrlevant as the speed and frequency of malware (viruses, worms) increases.
poke around on my website for vthrottle.
Comments
By Chris Humphries () chris@unixfu.net on http://unixfu.net/
Anomoly ones are much better, most attacks and worms do not seem smart enough to appear to be doing something normal or something another process would be doing. Though of course, this can be bypassed, but most people that write attack worms and scripts do not seem to be this smart or even care/know (at least the ones in the wild filling up my logs).
hopefully people this skilled are writing this code as a job, and not wanting to go to jail and snicker with their kiddie friends.
--
i dont have facts or statistics to back up this post :)
Comments
By Krunch () on http://krunch.servebeer.com/~krunch/
Comments
By Chris Humphries () chris@unixfu.net on http://unixfu.net/
though it may be true. the sole purpose of virii and worms is to spread and replicate. being noticed kinda defeats the purpose it seems, yet well noticed worms are still around. guess stupidity and ignorance win :)
By Anonymous Coward () on
If you are able to to enumerate the acceptable types of traffic with any kind of specificity, you could have a catch-all rule for the remaining traffic.
I think it's hard to run a recon and attack without tripping one of the rules. I pay attention to the scans.
One trick is to have a tcpdump audit that captures 200 bytes of every packet that transits your net. Then all a kiddie has to do is violate one snort rule and you can correlate with everything else that has transpired. IP w.x.y.z scanning? What else did they try? Host a.b.c.d was scanned? What else went to it? Did its behavior change? Bingo! That 0-day 'sploit is now all over BugTraq, SecurityFocus and Whitehats. Even if the scan was sourced differently than the attack, I still have a good chance to pick up on it thanks to Snort.
I'm looking at anomoly-based NIDS, too. And host-based IDS (using things like Tripwire) are a big part of the picture, too.
Any suggestions? I am going to take a look at Shadow pretty soon.
By Anthony () on
Comments
By Anonymous Coward () on
Or he just means the University of Alberta but got the city mixed up.