Slashdot Mirror

You could implement a (hopefully automated) means of identifying a compromised machine. A single PC on listen-only mode with Snort -- perhaps with a few Nessus scans -- might do the trick.

Once you have monitoring capabilities, you can get to work on responses. You have a few options, depending on the available resources:

-- Put up a public notice somewhere (on a webpage, network status screen, whatever) indicating that the current network outage is a result of Joe's ineptitude. (ie use peer pressure to keep users' boxes clean.)

-- Send an email to the netadmins to have Joe's network access restricted. If the detection mechanisms are reliable, you could ask the netadmins to automate this facility.

-- Provide a facility for end-users to monitor their own recorded state. This will help those who don't know they've been compromised and/or want to make sure their network connection doesn't go away.

When disabling a user's access, it would be ideal if they could retain some limited connectivity so you can feed them a "You've been hacked" webpage -- ideally with some patch download links. Depending on your local network infrastructure, this may not be feasible, but if you can move a compromised machines to a seperate VLAN with heavy ACLs, or simply QoS non-essential network traffic into the ground that'll help when end-users try to fix their machines themselves.

For those too lazy to cut n paste:

http://swatch.sourceforge.net/
http://www.snort.org/
http://sourceforge.net/projects/sentrytools/

For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

Look for IRC rules that are non-standard ports. Very easy to run.

Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.

Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.

For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.

Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.

Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.

Ethereal, nmap, and snort always get the job done for me.

What's up with tcpdump and friends, snort, kismet, bsd-airtools and ethereal anyway?

I used to work the abuse desk for a cable internet provider. We never actively looked for people running web servers if they weren't eating up bandwidth, but if they were doing somethign else we would also use it as an extra excuse to suspend their service. Additionally I've run snort since I've had broadband. I am yet to be portscanned by anyone other than script kiddies or zombies. If you aren't causing the ISP any problems you'll never even be noticed.

Poorly formated, no logical grouping, lists every software package he has ever touched (I surpised he didn't list Dell, Gateway, etc.), and completely lacks any kind of focus. I don't know how old this is (looks to be from 2001) but folks this should be an example of 'how not to do an entry level resume'. Also just for the record, if you kids do want to get into security, learn Snort.

Copied below for 'posterity'. Note that he lists "social engineering" as a technique.

Nicholas Jacobsen
1911 NE Thompson
Portland, OR
Massage: (503) 287-4812
Email: ethics@netzero.net

Employment
* Long Term Goal: Network Manager position in the Computer Security Field
* Immediate Goal: Network Administrator in the IT field.
* Computer Security Institute's NetSec '01 New Orleans, LA June 2001
Intern: Technical Services, Computer Setup/Configuration, Attendee Registration, and Customer Service
* 27th Annual Computer Security Conference Chicago, IL November 2000
Intern: Technical Services, Attendee Registration, and Customer Service
* Ethics Design Winston, OR 1997-Present
Consulting in computer system setup, design, security, and software.
* Mustard Seed Educational Services Roseburg, OR 1989-1998
Website design, achievement test scoring, cashiering, curriculum recommendation, computer inventory and sales, program maintenance, exhibit hall setup/tear-down, assisting with publishing 32 page catalog.
Education
* Goal: BS in Computer Science via part-time studies and CISSP Certification
* Professional Education:
* NetSec '01, Attended:
* How to Develop a Winning Security Architecture - David Lynas
* Windows 2000 Security - Joel Scrambray
* Virus Writers and Legislation - Sarah Gordon
* Creating a Comprehensive Intrusion Detection System - Charles Hudson, Jr.
* Phreakers to Frauds: Telecom Crime Investigation and Prevention - Andrea Morin
* Building Secure Software - Gary McGraw
* Preparing for ISO 17799 - Tom Peltier
* Viruses, Hoaxes, Trojans, Worms, Where Will it End? - Bob Cartwright
* Practical Forensics - Peter Garza
* Hacking UNIX - Bob Geiger
* 27th Annual Computer Security Conference, Attended:
* Intrusion Techniques & Countermeasures - Rik Farrow
* Implementing a Computer Incident Response Team - Peter Stephenson
* 10 Other Security Classes
* Formal Education:
* Associates of Science Degree, Umpqua Community College, June 2001
* High School Diploma, Umpqua Community College Adult HS Diploma Program, March 2001
High school curriculum consisted of college preparation in math, reading, writing, humanities, music, social sciences, science, Hebrew, Latin, Greek, the study of the Great Books, and 2nd year college level computer course work in web page design, data communications, visual basic, C++, and networking. Approximately 50% of high school coursework has been at the College Credit (CC) level.
Familiarity with...
* Operating Systems: Windows 3.x, 95, 98, NT, 2000; Novell NOS; Unix variants, OS/2, DOS, VMS OS
* Languages: Perl, Basic, Visual Basic, C/C++, Java, JavaScript, DHTML, HTML, CGI implementation, ActiveX Implementation
* Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro, Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle, Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route, PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad, Ultra Edit, SoftIce, among others.
* Techniques: Firewall Configuration, Network/Server Security Analysis, HTTP/FTP/Telnet/IRC Server Configuration, LAN administration, Social Engineering, Intrusion Detection/Analysis, and Cryptography.

Incidentally, Snort isn't "SNORT" or "Snort!" or anything other than Snort. Snort isn't an acronym, it's an IDS. :)

Helevius

The article mentioned "researchers successfully sent data from Switzerland to Tokyo at speeds of 7.21 gigabits per second" ... and if they want to watch the traffic for "neferious" content, that is gonna require one heck of a Network IDS (Intrusion Detection System - SNORT is a popular open source IDS) to keep up ... and the vast majority of the traffic will be about as exciting as watching grass grow

I wish Snort had intrusion prevention capability. = wink wink=

This approach is not recommended.

Are you familiar with snort2pf?
What do you think of it? How does it compare with what you've done?

And how about the Snort DDOS rules?

In general the solution you're looking for is called an "Intrusion Detection System" (or IDS for short). They are designed mostly to identify and prevent threats from the outside going in, but they can be equally effective in identifying/preventing internal network threats. There are many commercial ($$$) and free ones - one popular open source one is called Snort. I've never used it myself, but I'm told that it uses basic pattern-matching to classify threats, and that these patterns are generally available quite quickly for new threats from Snort newsgroups and mailing lists.

Otherwise, if you have servers on the same network segment as the infected systems, your servers should be running some sort of anti-virus/worm solution, which should be able to tell you exactly what address is attempting to send the server a worm.

... Snort! Faster than a speeding packet, more powerful than a trojan, able to detect small intrusions with a single cycle.

But seriously, get a Snort box installed and be more active(*) in your intrusion detection. Surely your boss can't object if you slap down a printed snort long on his desk, and show him proof of intrusion.

dave

(*) I absolutely refuse to use the word 'proactive'. I'm not playing buzzword bingo here.

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.

There are open source correlation projects out there (opposed to QuIDScor, Sourcefires RNA, and Tenables NeVO) such as IDS Alert Verification, OSSIM, and Brian Caswell's simplistic honeysuckle.

The Open Source Network Intrusion Detection System

Tip - If you can't afford the Shomiti, (if you can afford the Shomiti your switches are probably already manageable :), or if you just want to tap a line you can also build your own ethertap.

• nmap for basic port sniffing.
• nessus for more extensive security sweeping.
• ethereal for packet capture & analysis.
• snort for intrusion detection.
• magnum marine for spammer management (I feel a mod-down comin on!)

I have a vague notion about how to use some of them in limited fashion, but I'm handicaped by not having an intimate knowledge of how IP and TCP really work (down at the packet level).

I've ran into issues with WinPcap 3.0 and Windows. Not specifically with ethereal but when i use Snort. WinPcap 2.2 & 2.3 have been the most stable in my book. You can find all the older versions here. WinPcap 3.1 is now available would try that first. Haven't used it personally though.

Maybe you don't, but I certainly do. Not everything of course, but in my experience there are a lot of people who look at and learn from the source code of a package, just for fun. They won't actively develop or even provide a little patch, but they look at the source nevertheless.

I've experienced this on several occasions, once when looking at Snort (an intrusion detection system) and more recently when looking at TOra (a database client). In both cases when I asked questions on the developer list, people replied who were not active developers but just had a go scrolling through the source to see what it was doing.

Buy one linux server, and then discover the wonders that are ping and SNMP. Simple tools such as Nagios and MRTG (or NRG or Cricket) can do wonders for helping spot problem switches/routers and congestion spots.

For example, every device we have is pinged 3 times every minute, and queried for bandwidth usage every 5 minutes. This has helped in finding bottlenecks, and the occasional switch that reboots every few minutes. (MRTG alone convinced the higher ups to buy new gear for our Datacenter and give it a dedicated link to the Core).

Also, setting up a wonderful SNMP trap server can be very useful. It allowed us to find a switch that likes to reboot at random intervals (the switch is 5 years old and being replaced this weekend). Of course, having it send a trap whenever a switch reboots is just the start of what certain switches/routers can do.

Also the use of Snort to sniff traffic that can be potentially malicious can be very helpful in tuning firewalls and finding those script kiddies. (use ACID for a pretty front end)

Another nice tool is NTOP Does almost everything NetFlow does and has a pretty graphical frontend built in. (I recently used this to find out that one of our firewalls was sending gigs of syslog data to the wrong server.)

And with the mention of syslog, might as well throw out a link for syslog-ng. yet another useful tool.

Basically the point of this is to say that sometimes it's best to let your equipment do that talking. They'll usually tell you what's wrong, just as long as you've set them up to do so. I found that once we put a lot of these tools into full production, we were able to cut down on our need to sniff the line whenever problems came up. This isn't to say that Ethereal isn't needed. That's hardly the case. Its use is still huge and shown all the time.

Snort as a recommendation is a rather good pun but, as a network sniffer (packet capture/protocol analyzer) Snort is not the answer.

Snort is an Intrusion Detection System(IDS) that monitors network traffic and performs an action when it sees a matching pattern. That action could be a log entry or it might be configured to save the packet to a file. Other actions are possible using external programs. Snort uses libpcap of TCPDump fame to monitor or capture the network traffic. Snort is useless for displaying or analyzing network traffic but, this is not a function that it was designed for.

Ethereal is a graphical protocol analyzer although it does include a command line version as well called Tethereal. Ethereal also relies on libpcap for actually capturing the network packets but, it goes much further than simply capturing network packets. Ethereal displays a break down of the packets themselves separating categorizing and displaying the various fields and data in a packet. It goes further by also decoding a long list of higher level protocols that may be included in the packet.

Ethereal is also capable of reading and decoding network traffic that has been captured and saved in other formats. Ethereal can read and save packet capture files in MS Network Monitor, NAI Sniffer Pro, and many other formats. Ethereal is increasingly recommended by companies such as Novell who actually has had their own protocol analyzer for years called Lanalyzer. Cisco support engineers are also increasingly recommending the use of Ethereal for capture and analysis of network traffic when troubleshooting potential problems with their equipment.

TCPDump has also been recommended by many people here on Slashdot.. TCPDump is a command line based protocol analyzer. It also relies on libpcap for actual packet capture but, it then displays a break down of the actual packets. Its display is not as attractive or as configurable as the graphical Ethereal and it is more limited in the number of protocols that it can interpret and disassemble but, it is still a very powerful and capable program. Further more, its output can be saved for further examination by ethereal.

Today "Tom in Marketing" can set up a wireless access point in about 5 minutes, potentially leaving a door open to the rest of the network.

To check if there are any wireless networks around, you might have to wardrive the premises. An laptop, a WiFi card and network stumbler is all you need for a quick scan of the surroundings. Depending on the layout of the company, a GPS can be added to pinpoint a rouge accesspoint easier. Not strictly necesary though. Just take a walk around the building and you will see what pops up, some of it might be part of your wired network, bridged to wireless and left open to the world.

Sniffing traffic on an unauthorized part of the network is not dificult, snort or similar can do the trick. Fysically removing the AP is easier though... "Tom" will report to your office to get his router/bridge back ..

Snort can be used to sniff packets on a only-get-what-you-want level. For the admins like myself who do most of their admining from a remote box, Snort can be very useful. With custom rules, you can configure snort to report packets which have relavence, rather then capturing all packets and looking through afterwards. Hope that helps.

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

I agree with you, to a point. For a medium sized network like mine, where there are _no_ hubs except for the one at the firewall (so the snort box can listen) the switches will take care of keeping the bandwidth that the firewall actually hears to a minimum. The PCI bus can handle 127-ish MB/s nad 64 bit PCI can handle 508-ish. So unless you have a really high traffic system[1] this setup is not even noticable between a Cisco, or other heavy duty router.

[1] I have a really high traffic FTP server on my DMZ that is accessed a lot from systems on one of my NAT's and from the internet. What I did was move this system (OBSD) in _front_ of the firewall, enable PF on the FTP server to firewall it. Then I added a 2nd NIC to the FTP server so it plugs directly into the LAN. This makes sure that almost _no_ traffic from that system actaully hits the firewall. If I didn't do this, the PCI bus, like you say, would slow things to a crawl.

What I'm interested in is was it possible to do forensics before the box was switched off, and was there an IDS (such as Snort) installed and positioned in such a place as to be useful? If so then hopefully the attacker may have been logged by the IDS which may leave some vital clues as to the methodology the hacker used, and may even have logged the root exploit's raw packets.

For anyone that's curious I'd recommend a look at the Honeynet Project's Challenges page, esp. the Scan of the Month sample incident and submitted answers from the community - very good for learning how to perform an analysis.

I'm actually asking if anyone knows of a free, OSS or not alternative.

snort is quite useful on *NIX machines. Quoth FreeBSD's security/snort ports description:

Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba.

Packets are logged in their decoded form to directories which are generated based upon the IP address of the remote peer. This allows Snort to be used as a sort of "poor man's intrusion detection system" if you specify what traffic you want to record and what to let through.

For instance, I use it to record traffic of interest to the six computers in my office at work while I'm away on travel or gone for the weekend. It's also nice for debugging network code since it shows you most of the Important Stuff(TM) about your packets (as I see it anyway). The code is pretty easy to modify to provide more complete packet decoding, so feel free to make suggestions.

To the complete idiot of a clueless moderator who modded the above post a "troll", SNORT is an open source intrusion detection system. The poster above was asking an honest question. Again, to the moderator who modded that comment a troll, you sir are clear idiot! The next time you have mod points (not sure if this is possible) you need to mod that comment back up---before I whack your ass in the head with a clue-by-four. fucking eeeediot!

First off, I'm not just Snort's author, I'm also the founder of Sourcefire. Sourcefire was started once it became apparent that enough commercial/governmental users wanted commercial support to make it a viable business model. Raising the VC was not easy, try going into a venture capatalist's office sometime and telling them about how you want to build a product company around a core technology that's free. I talked to something like 12 different investment firms before we got the time of day from anyone, VC wasn't really looking for the next big Open Source story in 2001, they were trying to figure out what the hell happened to all their investments.

Sourcefire eventually got funded, but we did it the old fashion way by building the product on a shoestring and then selling it into big accounts. Once we made a few hundred kilobucks from my living room (i.e. the original Sourcefire corporate campus), we finally got some attention and (eventually) money. Let me reiterate, it was not easy.

The author of the article could have saved some money on books (and so can you) if you simply read the USAGE file and the SnortUserManual.pdf file that should be incuded with your Snort download. Both of those files have quickstart information that will let you get up and running with Snort in about 15-30 minutes. Snort was designed to be easy for people who are used to using Linux, keep that in mind when using it for the first time. If you're getting lots of little log files, try using the -b switch at the command line, it'll log to a single file in pcap binary format (like ethereal/tcpdump). Additionally, read the FAQ and check out the mailing lists, they're invaluable.

Finally, the security vulnerabilities that were located in Snort this past spring led us to perform an internal and two external independent paid security audits of the Snort code base, funded by Sourcefire. We're also excersizing additional diligence when evaluating contributed code and looking at the code we're developing internally at Sourcefire. It should be noted, all the code that is developed for Snort at Sourcefire is released under the GPL, we're dedicated to always keeping Snort free and making it the best IDS we can.

First off, I'm not just Snort's author, I'm also the founder of Sourcefire. Sourcefire was started once it became apparent that enough commercial/governmental users wanted commercial support to make it a viable business model. Raising the VC was not easy, try going into a venture capatalist's office sometime and telling them about how you want to build a product company around a core technology that's free. I talked to something like 12 different investment firms before we got the time of day from anyone, VC wasn't really looking for the next big Open Source story in 2001, they were trying to figure out what the hell happened to all their investments.

Sourcefire eventually got funded, but we did it the old fashion way by building the product on a shoestring and then selling it into big accounts. Once we made a few hundred kilobucks from my living room (i.e. the original Sourcefire corporate campus), we finally got some attention and (eventually) money. Let me reiterate, it was not easy.

The author of the article could have saved some money on books (and so can you) if you simply read the USAGE file and the SnortUserManual.pdf file that should be incuded with your Snort download. Both of those files have quickstart information that will let you get up and running with Snort in about 15-30 minutes. Snort was designed to be easy for people who are used to using Linux, keep that in mind when using it for the first time. If you're getting lots of little log files, try using the -b switch at the command line, it'll log to a single file in pcap binary format (like ethereal/tcpdump). Additionally, read the FAQ and check out the mailing lists, they're invaluable.

Finally, the security vulnerabilities that were located in Snort this past spring led us to perform an internal and two external independent paid security audits of the Snort code base, funded by Sourcefire. We're also excersizing additional diligence when evaluating contributed code and looking at the code we're developing internally at Sourcefire. It should be noted, all the code that is developed for Snort at Sourcefire is released under the GPL, we're dedicated to always keeping Snort free and making it the best IDS we can.

here is the link for the google impaired: snort & acid.

Including links is good.
Snort, Apache, PHP, MySQL, ACID on Redhat 9.0 Installation Guide

Also, throw snortcenter in the mix and you've got a full solution in an easy to manage package.

These reviews are more helpful. A copy of the Koziol book is on the way to the Amazon.com reviewer so he should be able to rate it against the Caswell and Rehman books.

And those ratings -- 4/10 for Caswell, currently selling at #423 at Amazon.com, compared to 7/10 for Rehman, currently #5691 at Amazon.com? Popular opinion isn't everything, but people are clearly buying the better book -- despite its faults.

Helevius

Obviously a complete block is not going to work, but there's plenty of systems that filter traffic smartly. Leaving an IIS server open like that is just asking for trouble. I reckon I get more hits from IIS exploits than genuine web hits. You need a firewall of some kind - take a look at something like Smoothwall with it's Sort IDS, or if you're hardcore, OpenBSD plus httpf or Pound (along with Snort or Port Sentry and co.).

AMEN to this. I had a remote user get slammer. My T-1 provider phoned at 2:00 AM to inform me that my network was broadcasting the nasty. I assured him I was not, but a quick packet capture at the gateway hinted I was wrong. When I revoked his dialin privileges, he was on the phone at 2:30 AM asking why he couldn't get in. I told him I was sleeping and he was infected to call me back when he had reformatted, reinstalled, patched and scanned. When he called back again, I told him I wasn't done sleeping I'd call him back later.
This was the incident that finally got me to deploy SNORT at a few choice spots on my network.

As far as I know, Snort should be able to recognize Messenger's packets' fingerprints and block them.

I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.

I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.

• An ethernet tap
  
• A spanning port on your switch
  
• A hub in between the router and switch
  

I haven't read Koziol's book. The other books the reviewer mentions are:

Snort 2.0 Intrusion Detection
Which is the one I helped out with, and:
Snort 2.0 : The Complete Guide to Intrusion Detection
which isn't out yet. The Syngress book came out really well. Jeff, Dragos, and Jed are all really sharp guys, so I don't doubt their book will be good too, but it's not out quite yet.

The book I helped on has been getting really good reviews on Amazon, and sales have been great. It was written by some great guys from the Snort community, notably Brian Caswell who runs snort.org and Jay Beale, who people will probably recognize from the Bastille project.

• set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
• Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
• Try adding tripwire and snort to stop/detect attacks. Configure snort with database logging, with syslog/swatch, etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
• Familiarize yourself with as many of the tools in Fyodor's list as possible. Using them will be the bread an butter of your work. That includes scanners like nessus.
• Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
• Practice security. As you install and register software, watch what is happening to the box.
• Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
• Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful

• set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
• Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
• Try adding tripwire and snort to stop/detect attacks. Configure snort with database logging, with syslog/swatch, etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
• Familiarize yourself with as many of the tools in Fyodor's list as possible. Using them will be the bread an butter of your work. That includes scanners like nessus.
• Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
• Practice security. As you install and register software, watch what is happening to the box.
• Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
• Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful

First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.

If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.

If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet and see what's going to happen to an unpatched, exposed box. Or just set up snort with ACID as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

..and my article about the Snort 2.0 release (released April 14) was rejected. Sure an out-of-print, horribly out of date PDF gets TWO notices, but a leading edge, security monitoring device is blown off...

Gotta wonder who the "Stuff" is in the "Stuff that matters" tagline...?

Dan

I had good experience with the following tools: cacti
It's based on RRD the successor of MRTG (not much developed anymore, but still a good tool). Thanks Tobi btw.
OpenNMS is a really powerful realtime monitoring tool
Nagios also...
Don't forget snort for your IDS needs and add acidlab for good visualization of snort's results.

2003-03-04 20:28:07 New Snort vulnerabillity (articles,news) (rejected)

Normally, I wouldn't complain. Rather I would assume my submission was rejected because an earlier or better written one had been accepted. But, it looks like they just want to ignore this one.

Get your Snort update here.

2003-03-04 20:28:07 New Snort vulnerabillity (articles,news) (rejected)

Normally, I wouldn't complain. Rather I would assume my submission was rejected because an earlier or better written one had been accepted. But, it looks like they just want to ignore this one.

Get your Snort update here.