OpenBSD Journal

SecurityFocus writer has a clue.

Contributed by jose on from the simple-firewalls dept.

Leon Yendor writes: "Kelly Martin ( the content editor for SecurityFocus ) has an article (at http://www.securityfocus.com/columnists/216 ) about the prevalent worms attacking Microsoft products.

It's nice to see what he is using to keep them out of his LAN....... "

(Comments are closed)


Comments
  1. By Chris Humphries () chris@unixfu.net on http://unixfu.net/

    I just wish that I could get the people to read it that should read it, yet odds are that they will not due to the length of it.

    Everyone bought Jose's Worm book?
    http://tinyurl.com/yurxq

    It is a good book, help support. Don't be a cheap bastid ;)

    Comments
    1. By Anonymous Coward () on

      Uhh $85.00 ? I think not.

      Comments
      1. By Anonymous Coward () on

        http://www.pricegrabber.com/search_getprod.php/isbn=1580535372/ut=cfd7df02ff60e924

        Price comparison engines can be your friend if you are cheap. Or maybe I should say enemy? There's one listed there for $95 despite the easy $75 find!

        Also keep in mind, that not every book is for every reader. Jose has an OpenBSD book on the way and my guess is it will be more affordable and I believe it's from a different publisher.

  2. By jose () on http://monkey.org/~jose/

    i've actually implemented some of the things i talk about in my worms book, on OpenBSD no less! specifically you can easily use PF to prevent direct-to-MX worms from making egress connections, and i wrote "vthrottle", a sendmail plugin (using the milter mechanism), which can be used to slow down the spread of worms via mail. someone at ualberta in calgary (not beck, someone who knows him i think) is using openbsd based bridges to detect upswings in host activity. should be easy to enforce host behaviors using this mechanism (similar to vthrottle but for network activity in general).

    just a few thoughts. both of these things will help you keep your network (ie at work) safe from threats. it's all about the generic approach. signature detection is old school, it's quickly becoming irrlevant as the speed and frequency of malware (viruses, worms) increases.

    poke around on my website for vthrottle.

    Comments
    1. By Chris Humphries () chris@unixfu.net on http://unixfu.net/

      Signature based IDS (snort, etc) always i thought were next to useless.

      Anomoly ones are much better, most attacks and worms do not seem smart enough to appear to be doing something normal or something another process would be doing. Though of course, this can be bypassed, but most people that write attack worms and scripts do not seem to be this smart or even care/know (at least the ones in the wild filling up my logs).

      hopefully people this skilled are writing this code as a job, and not wanting to go to jail and snicker with their kiddie friends.

      --
      i dont have facts or statistics to back up this post :)

      Comments
      1. Comments
        1. By Chris Humphries () chris@unixfu.net on http://unixfu.net/

          which is highly unlikely. the effort and risk is not work the gain :)

          though it may be true. the sole purpose of virii and worms is to spread and replicate. being noticed kinda defeats the purpose it seems, yet well noticed worms are still around. guess stupidity and ignorance win :)

      2. By Anonymous Coward () on

        It does an amazing job with scans. And it does handle anomolous behavior, despite being signature based. There are some signatures for anomolous behavior- weird ip protocols, for example. And it's amazingly fast and configurable.

        If you are able to to enumerate the acceptable types of traffic with any kind of specificity, you could have a catch-all rule for the remaining traffic.

        I think it's hard to run a recon and attack without tripping one of the rules. I pay attention to the scans.

        One trick is to have a tcpdump audit that captures 200 bytes of every packet that transits your net. Then all a kiddie has to do is violate one snort rule and you can correlate with everything else that has transpired. IP w.x.y.z scanning? What else did they try? Host a.b.c.d was scanned? What else went to it? Did its behavior change? Bingo! That 0-day 'sploit is now all over BugTraq, SecurityFocus and Whitehats. Even if the scan was sourced differently than the attack, I still have a good chance to pick up on it thanks to Snort.

        I'm looking at anomoly-based NIDS, too. And host-based IDS (using things like Tripwire) are a big part of the picture, too.

        Any suggestions? I am going to take a look at Shadow pretty soon.

    2. By Anthony () on

      It's just the "University of Calgary" now. :)

      Comments
      1. By Anonymous Coward () on

        > It's just the "University of Calgary" now. :)

        Or he just means the University of Alberta but got the city mixed up.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]