Re: Wish list
- From: Greg Metcalfe <metcalfegregdelete@xxxxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 02:43:53 -0800
> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
>> Newsbox wrote:
>>> I would like to be able to parse my firewall listings of all the
>>> unsolicited traffic I receive, and be able to easily determine just what
>>> supposed or possible vulnerability some criminal creep was trying to
>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
>>> here's more:
>>> I would then like to know exactly what trojan, virus, worm or other
>>> malware on a zombie host would be sending those packets, what kinds of
>>> OS's they might be running on, how (if possible) to directly contact the
>>> host, and what vulnerabilities that zombied host would likely have, and
>>> how to exploit any such known vulnerability to stop the zombied host
>>> from further attacking me and others.
>>> I'm surely not a rich man, but would consider setting a separate
>>> firewall server for this purpose if it were possible or doable.
>>> All suggestions welcome.
>>> Best wishes.
>> I would suggest you do research on firewalls, what they are, what they do
>> and what they do not do. Your question suggest a lack of understanding of
>> what security is and what it takes to get a secure system. Unless you do
>> some studying, you will probably never have a secure system no matter
>> what firewall you put in.
> Thank you for the response. I do not want to insult your analysis at this
> time. And thank you for your (apparent) concern that I will never have a
> secure system. I would invite you to shoot at my system, if that is what
> it would take, except that I do not like "learning the hard way". I have
> had "secure systems" for some years, apparently. And that is not at all
> the focus of my request. What for example are these:?
> port 2 udp
> port 1026 udp
> port 1911 tcp
> ...(and many, many more)
> If you had a pointer to a database of what these probes were for, it would
> really be more to the point of my question than any of you suggestions for
> Sorry, but I don't think you got the "gist" of my request. Thanks, but no
> thanks. Give me a database. Thanks anyway.
Well, you can spend into 6 figures and not get everything on your shopping
list. Also, you may not *want* everything on that list.
Suppose your software really could tell "what vulnerabilities that zombied
host would likely have, and how to exploit any such known vulnerability to
stop the zombied host from further attacking me and others." That changes
like the wind, but suppose you had something completely accurate. You'd
still need to round up exploit code, which may be coming from a rather
unsavory source. I gather you'd like to do that in a completely automated
fashion as well. That would be dangerous in and of itself, especially as
you couldn't quantify a new and ever-changing risk, so automation is
probably the last thing you want. This is a case where you need humans in
the loop--except that it would take a full-time staff. But suppose you got
past those difficulties as well. There's an ethics issue involved with
pushing that exploit button, as well as the fact that you would then be in
violation of federal law, and likely state laws as well.
There really is only so much that can be done with automation. You'll find
that the larger managed security services (Counterpane, etc.) pride
themselves on the caliber of the people they have in the loop. You might
spend some time on isc.sans.org. Read through some handler's diaries, learn
how to submit your firewall logs, look at the port histories, etc. I think
you might find that site both interesting and instructive.