lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030729221706.SJRV1380.lakecmmtao03.coxmail.com@vaio>
From: andy at digitalindustry.org (Andy Wood)
Subject: Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post

	   "Try sitting in front of the console staring at a half a million
alerts and see if the IDS *does* anything besides spewing information that
*you* have to research, that *you* have to interpret and that *you* have to
take action on." - Paul, if I'm not mistaken.

	This is the CHIEF complaint of USERS that fail to comprehend how to
effectively deploy or use 1 or more IDSs in their environment.  This
shortsightedness leads to the inability to also use an IDS to provide
assistance to the non-security Windows/UNIX admins (Spotting misconfigured
services as an example). 'How can I collect my overpriced salary, yet not
have to do any work'?  Let's bring this to another professional field.  'Ole
Paul goes to his doctor....something's amiss.  The Doc draws your blood and
there is surely something going on....something is in you wreaking havoc,
but he's not sure.  Maybe it is a mutated virus, a bacterial agent of some
sort.....he just can't tell, never seen it before.  Oh well for
you...there's no machine to tell him and he's not into analyzing the
results....too many patients to be worried about one perosn with a strange
'issue'.....no money in that!  Yeah right!  How about a Lawyer?  Will he
pass up his $300+ dollars/hr cause he has to research a case.  Nope just
lame Net Admins.  The research is the fun part of the job.  It keeps those
who like a challenge from putting a gun in their mouths and pulling the
trigger from dealing with the lamers.  But for those who like only to
collect a paycheck, well...I can imagine what a disruption from SLACKING it
must be to not have someone issue you an answer!!

	It's really a shame people don't get it.  Our customers have
benefited GREATLY from IDS monitoring (and yes, it does require time and
effort).  Both inside and outside hackers have been caught, evidence
gathered and action taken.  Not by the machine, but by a human.....and a
machine would not have caught these attempts, nor would IPS....it was done
by discovering and ANALYZING/RESEARCHING trends in allowed/authorized
traffic, creating special rules for the unknown, etc.  I.E., would you have
liked to have seen someone accessing your print servers?  ....Snort detects
this activity, as well as people trying to mod the displays of HP printers.
Since you allow unrestricted access to most of your print servers an IDS
WOULD prove beneficial!  After all, it was allowed web traffic...nothing
wrong with www traffic right, as per policy.  Thank God you need not rely on
forensic analysis....Talk about an unnecessary pain on the ass, whoo-doggie.
All the care required to ensure admissible evidence...it's just not worth
it, right?

	There are cases which it is appropriate and safe to use
flexresp/shunting with IDSs to reject attacks, or stop use of services.  For
example, if you don't want your users using AOL, tcp reset the AOL login
packets...that'll stop em.....if *you* stay on top of the AOL logon server
list, but we're back to the *you*, *you*, *you* part again....sorry.  It all
seems to go back to the admin's job.

	Fixing user's font problems or catching a Mitnick wanna-be, let me
think. (Let them praise his name in the dance: let them sing praises unto
him with timbrel and harp....KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN,
PAUL, KEVIN, PAUL.....whoops, while you were reading this you were just
hacked... were you....do you know?)  Pick a packet, any packet.  It's like a
nursery rhyme:  Pauly should-a Picked Apart A Hack Attack Packet, but the
admin couldn't track the stack smack cause he lacks the faqs. So, as the
fast hacks fulfilled their 'Chronic' snacks attacks while surfing the campus
fibre backs and covering their syn-ack tracks, little pauly whishes he had a
tool that that could keep him from playin the suck-a fool.  Adjunct for a
reason, are we? 

	See ya! 	


-----Original Message-----
From: Schmehl, Paul L [mailto:pauls@...allas.edu] 
Sent: Tuesday, July 29, 2003 4:06 PM
To: Andy Wood; full-disclosure@...ts.netsys.com

>-----Original Message-----
>From: Andy Wood [mailto:andy@...italindustry.org]
>Sent: Tuesday, July 29, 2003 2:22 PM
>To: full-disclosure@...ts.netsys.com
>Subject: [Full-Disclosure] Dcom.c - (Shutting it down on 5,000 systems)
- a Paul Schmehl Post
>
>
>         (Now that I see the rest of the orig post I'll comment on the 
>IDS part):
 
>        Weak-ass admins ONLY complain that IDS' make work for them AND 
>that they are worthless.....Boo hoo, *we* have to research, *we* have 
>to interpret and *we* have to take action....WAAAAAAAAAAAAAAAAAA.

>        So, some joe-hacker that has intelligence so far beyond most 
>any-type admin (especially Windows), and he wants into your 
>network.....the complaint is that ya might have to do some analysis?

No, that wasn't the complaint.  You completely missed the point.  The
original poster stated that IDSes "protect" you.  He even went so far as to
quote from the dictionary the definition of "protect".  I countered that
they do nothing but spew information.  Someone has to do the analysis and
research and so forth.

Never **once** did I **complain** about it.  For someone who claims to have
"creativity", you sure lack basic reading skills.

The rest of your vomit isn't worth responding to.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ