Re: Antigen forwarded attachment

From: Raj Malhotra (ral.mal_at_gmail.com)
Date: 09/03/04

  • Next message: Michael McDonough: "Re: serial-line protocols" 
    Date: Fri, 3 Sep 2004 11:50:59 +0530
To: antigen_charun <antigen_charun@gmail.com>

    Hi All,

    Based on the good discussion and feedback we had w.r.t our question we
    conducted the following experiment:

    1) aim was to have some kind of a system that allows us to view the
    complete session of an attacker. We used one machine to run "tcpdump"
    with "-w" option , one machine to run "snort" and "cisco 512"
    connected to the same 100Mbps hub.
    2) 4 machines were used to run tcpreplay at 10Mbps (from each
    machine), to have an aggregate data rate of 25-30Mbps on the hub.
    There were two valid buffer-overflows in the traffic, and both were
    for the same vulnerability.
    3) The machine configurations were as follows:
          for running snort and tcpdump:
          100Mbps intel on-board NIC with e100 driver for Linux-RH-9.0
          512 RAM, P4-2.0 MHz , IDE 40GB hard disk at 10,000 RPM
           two 66MHz, 64bit PCI buses
          
    Observations:
    1) The two IDS were able to trigger an alert for the two attack streams
    2) but tcpdump logged only one of them, and the other was logged
    partially (packets were dropped)

    Questions:
    1) was the data rate too high for the particular machine configurations
    2) do we need any modifications to the disk and network drivers to
    improve the performance
    3) is there an issue with regard to the way PCI buses on the
    motherboard are associated
    with the cards connected to them. (one of the intel motherboard manual
    says, the speed of the bus will be equal to the speed of the slowest
    card plugged into that bus)

    any experiences with regard to the above queries will be appreciated.

    Thanks

    Raj

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Michael McDonough: "Re: serial-line protocols"

    Relevant Pages

    • RE: Active response... some thoughts.
      ... Subject: Active response... ... Netscreen IDS features TCP reset as a major feature of their ... between your attacker and your IDS, ... The attacker could modify his IP-stack such that resets are being ignored ...
      (Focus-IDS)
    • Re: Active response... some thoughts.
      ... It is good to remember that many IDS implementations send ... TCP RST to the two endpoints in the communication. ... the attacker can just simply hack his stack to igno ... stack such that resets are being ...
      (Focus-IDS)
    • Re: Active response... some thoughts.
      ... Subject: Active response... ... > drops the packet on the wire before it gets past the in-line IDS. ... Active-response is great if you have a signature for it ... the attacker can just simply hack his stack to ignore the ...
      (Focus-IDS)
    • RE: Active response... some thoughts.
      ... between your attacker and your IDS, ... of the IDS you have. ... Subject: AW: Active response... ... The attacker could modify his IP-stack such that resets are being ignored ...
      (Focus-IDS)
    • Re: Appeal for Help. NOT Code Red But Is It?
      ... our server immediately responds back to the prober ... What is happening is that the IDS is becomming confused about who the ... each worm that is still on its way from the attacker. ... > and outbound port was 2913. ...
      (Incidents)