RE: [Full-Disclosure] Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post

From: Andy Wood (andy_at_digitalindustry.org)
Date: 07/30/03

  • Next message: uidzer0: "Re: [Full-Disclosure] OT but related." 
    To: <full-disclosure@lists.netsys.com>
Date: Tue, 29 Jul 2003 18:18:20 -0400

               "Try sitting in front of the console staring at a half a million
    alerts and see if the IDS *does* anything besides spewing information that
    *you* have to research, that *you* have to interpret and that *you* have to
    take action on." - Paul, if I'm not mistaken.

            This is the CHIEF complaint of USERS that fail to comprehend how to
    effectively deploy or use 1 or more IDSs in their environment. This
    shortsightedness leads to the inability to also use an IDS to provide
    assistance to the non-security Windows/UNIX admins (Spotting misconfigured
    services as an example). 'How can I collect my overpriced salary, yet not
    have to do any work'? Let's bring this to another professional field. 'Ole
    Paul goes to his doctor....something's amiss. The Doc draws your blood and
    there is surely something going on....something is in you wreaking havoc,
    but he's not sure. Maybe it is a mutated virus, a bacterial agent of some
    sort.....he just can't tell, never seen it before. Oh well for
    you...there's no machine to tell him and he's not into analyzing the
    results....too many patients to be worried about one perosn with a strange
    'issue'.....no money in that! Yeah right! How about a Lawyer? Will he
    pass up his $300+ dollars/hr cause he has to research a case. Nope just
    lame Net Admins. The research is the fun part of the job. It keeps those
    who like a challenge from putting a gun in their mouths and pulling the
    trigger from dealing with the lamers. But for those who like only to
    collect a paycheck, well...I can imagine what a disruption from SLACKING it
    must be to not have someone issue you an answer!!

            It's really a shame people don't get it. Our customers have
    benefited GREATLY from IDS monitoring (and yes, it does require time and
    effort). Both inside and outside hackers have been caught, evidence
    gathered and action taken. Not by the machine, but by a human.....and a
    machine would not have caught these attempts, nor would IPS....it was done
    by discovering and ANALYZING/RESEARCHING trends in allowed/authorized
    traffic, creating special rules for the unknown, etc. I.E., would you have
    liked to have seen someone accessing your print servers? ....Snort detects
    this activity, as well as people trying to mod the displays of HP printers.
    Since you allow unrestricted access to most of your print servers an IDS
    WOULD prove beneficial! After all, it was allowed web traffic...nothing
    wrong with www traffic right, as per policy. Thank God you need not rely on
    forensic analysis....Talk about an unnecessary pain on the ass, whoo-doggie.
    All the care required to ensure admissible evidence...it's just not worth
    it, right?

            There are cases which it is appropriate and safe to use
    flexresp/shunting with IDSs to reject attacks, or stop use of services. For
    example, if you don't want your users using AOL, tcp reset the AOL login
    packets...that'll stop em.....if *you* stay on top of the AOL logon server
    list, but we're back to the *you*, *you*, *you* part again....sorry. It all
    seems to go back to the admin's job.

            Fixing user's font problems or catching a Mitnick wanna-be, let me
    think. (Let them praise his name in the dance: let them sing praises unto
    him with timbrel and harp....KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN,
    PAUL, KEVIN, PAUL.....whoops, while you were reading this you were just
    hacked... were you....do you know?) Pick a packet, any packet. It's like a
    nursery rhyme: Pauly should-a Picked Apart A Hack Attack Packet, but the
    admin couldn't track the stack smack cause he lacks the faqs. So, as the
    fast hacks fulfilled their 'Chronic' snacks attacks while surfing the campus
    fibre backs and covering their syn-ack tracks, little pauly whishes he had a
    tool that that could keep him from playin the suck-a fool. Adjunct for a
    reason, are we?

            See ya!

    -----Original Message-----
    From: Schmehl, Paul L [mailto:pauls@utdallas.edu]
    Sent: Tuesday, July 29, 2003 4:06 PM
    To: Andy Wood; full-disclosure@lists.netsys.com

    >-----Original Message-----
    >From: Andy Wood [mailto:andy@digitalindustry.org]
    >Sent: Tuesday, July 29, 2003 2:22 PM
    >To: full-disclosure@lists.netsys.com
    >Subject: [Full-Disclosure] Dcom.c - (Shutting it down on 5,000 systems)
    - a Paul Schmehl Post
    >
    >
    > (Now that I see the rest of the orig post I'll comment on the
    >IDS part):
     
    > Weak-ass admins ONLY complain that IDS' make work for them AND
    >that they are worthless.....Boo hoo, *we* have to research, *we* have
    >to interpret and *we* have to take action....WAAAAAAAAAAAAAAAAAA.

    > So, some joe-hacker that has intelligence so far beyond most
    >any-type admin (especially Windows), and he wants into your
    >network.....the complaint is that ya might have to do some analysis?

    No, that wasn't the complaint. You completely missed the point. The
    original poster stated that IDSes "protect" you. He even went so far as to
    quote from the dictionary the definition of "protect". I countered that
    they do nothing but spew information. Someone has to do the analysis and
    research and so forth.

    Never **once** did I **complain** about it. For someone who claims to have
    "creativity", you sure lack basic reading skills.

    The rest of your vomit isn't worth responding to.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/ 

    ---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
 
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: uidzer0: "Re: [Full-Disclosure] OT but related."

    Relevant Pages