RE: Tools to help incident response



Johnny,

You may want to consider a pro-active approach as a long-term control.
Something life WebSense, which plugs into your firewall and identifes
traffic by type, protocol, port and content. I have used it successfully at
several client locations. We typically used it to first identify P2P users,
generate reports showing bandwidth usage, and then captured some of the
material to show liability. Management autorized the blocking once false
positives were ruled out repeatedly. It's modular and does much more than
P2P. Worth a look.

If you already have an IDS, you could use that to detect, and if it has IPS
capabilities, block the traffic.
Firewall is also a great chokepoint, as are caching proxy servers.

Useful Links:
Identifying P2P users using traffic analysis
http://www.securityfocus.com/infocus/1843
P2P Detection Methodology Paper:
http://portal.acm.org/citation.cfm?id=1090948.1091375
Snort Forum article: http://www.snort.org/archive-3-409.html

Cheers!
Mark
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]On Behalf Of Johnny Wong
Sent: Thursday, October 12, 2006 9:30 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Tools to help incident response


Hello,

I am part of the incident response team in my organization. Part of
our daily task is to respond the virus/worm incidents by remote
scanning the suspected machines. We have been using Stinger.exe from
McAfee to do this. The pros of using Stinger are (1) it's
lightweight, (2) it's command-line executed hence I could use Psexec
with it. However, Stinger.exe hasn't been updated since May 06, and
we have encountered situations where it failed to detect newer worm
variants. Can anyone point me to other lightweight virus/worm
scanners out there?

Secondly, we have been having problems with P2P software running in
our networks. Time and again we have to use network logs to trace
P2P-enabled machines and tell the owners of these machines to
uninstall the offending software. Is there a scanning tool out there
that can detect the presence of P2P software on a machine?

Thank you all,

J Wong
Singapore


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Norton 2005 Int Security, Trend PCcillin or Zone Alarm ???????
    ... > I want security I can run on both machines. ... System overhead is higher than standard firewall applications. ... Symantec products do not remove (uninstall) well. ... Micro Trends PC-Cillan is very good (possibly the best in home network ...
    (alt.computer.security)
  • Re: install
    ... You just need to set up your network correctly. ... start by running the Network Setup Wizard on all machines (see ... Problems sharing files between computers on a network are generally caused ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
    (microsoft.public.windows.vista.installation_setup)
  • Re: Cant Connect To Network Printer
    ... I have sharing turned on. ... start by running the Network Setup Wizard on all machines (see ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ... put all computers in the same Workgroup. ...
    (microsoft.public.windows.vista.print_fax_scan)
  • Re: Two Vista machine on the same network cant see each other.
    ... -Network set to "Private Network" on both machines ... -Public sharing ON on both machines ... a misconfigured firewall or overlooked firewall (including a stateful ... identical user accounts and passwords on all Workgroup machines; ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: Shared folders on Xp cannot be found from Vista
    ... Assign passwords and see if it works now. ... firewall misconfiguration issue. ... Includes details about sharing printers as well as files ... start by running the Network Setup Wizard on all machines (see ...
    (microsoft.public.windows.vista.networking_sharing)