From kevross33 at googlemail.com Fri Apr 3 05:08:08 2009 From: kevross33 at googlemail.com (Kevin Ross) Date: Fri, 3 Apr 2009 11:08:08 +0100 Subject: [Discussion] Capture Clients? Message-ID: Hi I was thinking, imagine if an intrusion was detected between a maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the Distributed IDS in between. What if an attack was underway there was agents available for clients/servers which then the distributed IDS could use to capture activity? i.e network activity etc between it and the compromised host. Ie say there was an attack, the distributed IDS master sensor will "say" to the agent on 10.0.0.2 "record all communications you have with 81.1.1.1 and then forward it to me". This way greater visibility is given into the attack providing greater forensic information. especially if encyrption is then used to hide attack responses, backdoors, whatver. The agent perhaps could then be used in some sort of active response on the client but ideally just a small capture agent. This would give more attack information, confirmation if the attack was successful. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090403/26819b38/attachment.html From jonkman at jonkmans.com Fri Apr 3 14:00:04 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 03 Apr 2009 15:00:04 -0400 Subject: [Discussion] Capture Clients? In-Reply-To: References: Message-ID: <49D65CB4.6040600@jonkmans.com> So you mean for instance in the event of an https ddos? Or some form of encrypted session. Have the client grab it after decryption and save to be analyzed? Matt Kevin Ross wrote: > Hi I was thinking, imagine if an intrusion was detected between a > maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the > Distributed IDS in between. What if an attack was underway there was > agents available for clients/servers which then the distributed IDS > could use to capture activity? i.e network activity etc between it and > the compromised host. Ie say there was an attack, the distributed IDS > master sensor will "say" to the agent on 10.0.0.2 "record all > communications you have with 81.1.1.1 and then forward it to me". > > This way greater visibility is given into the attack providing greater > forensic information. especially if encyrption is then used to hide > attack responses, backdoors, whatver. The agent perhaps could then be > used in some sort of active response on the client but ideally just a > small capture agent. This would give more attack information, > confirmation if the attack was successful. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Discussion mailing list > Discussion at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mcholste at gmail.com Fri Apr 3 14:29:10 2009 From: mcholste at gmail.com (Martin Holste) Date: Fri, 3 Apr 2009 14:29:10 -0500 Subject: [Discussion] Capture Clients? In-Reply-To: <49D65CB4.6040600@jonkmans.com> References: <49D65CB4.6040600@jonkmans.com> Message-ID: I agree that client-side integration seems to becoming more and more important as more Trojans go SSL-enabled. However, I think that's more the realm of OSSEC, which plugs into OSSIM. So, if the OISF incarnation can play nicely with OSSIM, I think that it would be fairly simple to write OSSIM directives that would accomplish what you're talking about by directing OSSEC clients to begin recording/analyzing. Personally, I'd want them to all to be able to grep through their RAM for given strings ala MindSniffer if there was something new to look for. I think you're raising a good point though, that HIDS can play a real part in this if we let it. --Martin On Fri, Apr 3, 2009 at 2:00 PM, Matt Jonkman wrote: > So you mean for instance in the event of an https ddos? Or some form of > encrypted session. > > Have the client grab it after decryption and save to be analyzed? > > Matt > > Kevin Ross wrote: > > Hi I was thinking, imagine if an intrusion was detected between a > > maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the > > Distributed IDS in between. What if an attack was underway there was > > agents available for clients/servers which then the distributed IDS > > could use to capture activity? i.e network activity etc between it and > > the compromised host. Ie say there was an attack, the distributed IDS > > master sensor will "say" to the agent on 10.0.0.2 "record all > > communications you have with 81.1.1.1 and then forward it to me". > > > > This way greater visibility is given into the attack providing greater > > forensic information. especially if encyrption is then used to hide > > attack responses, backdoors, whatver. The agent perhaps could then be > > used in some sort of active response on the client but ideally just a > > small capture agent. This would give more attack information, > > confirmation if the attack was successful. > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Discussion mailing list > > Discussion at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Discussion mailing list > Discussion at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090403/710b56b2/attachment.html From jaime.blasco at alienvault.com Fri Apr 3 15:34:42 2009 From: jaime.blasco at alienvault.com (Jaime Blasco) Date: Fri, 3 Apr 2009 22:34:42 +0200 Subject: [Discussion] Capture Clients? In-Reply-To: References: <49D65CB4.6040600@jonkmans.com> Message-ID: <53834cf20904031334i13730ed2n6904a47055bdc9ee@mail.gmail.com> Hi, We have been discussing some months ago to incorporate the funcionality of record traffic from the ossim agents when the server trigger the active response, it will be easy to implement with the actual arquitecture and it could help a lot to identify real attacks and make forensic analysis. Regards 2009/4/3 Martin Holste > I agree that client-side integration seems to becoming more and more > important as more Trojans go SSL-enabled. However, I think that's more the > realm of OSSEC, which plugs into OSSIM. So, if the OISF incarnation can > play nicely with OSSIM, I think that it would be fairly simple to write > OSSIM directives that would accomplish what you're talking about by > directing OSSEC clients to begin recording/analyzing. Personally, I'd want > them to all to be able to grep through their RAM for given strings ala > MindSniffer if there was something new to look for. I think you're raising > a good point though, that HIDS can play a real part in this if we let it. > > --Martin > > > On Fri, Apr 3, 2009 at 2:00 PM, Matt Jonkman wrote: > >> So you mean for instance in the event of an https ddos? Or some form of >> encrypted session. >> >> Have the client grab it after decryption and save to be analyzed? >> >> Matt >> >> Kevin Ross wrote: >> > Hi I was thinking, imagine if an intrusion was detected between a >> > maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the >> > Distributed IDS in between. What if an attack was underway there was >> > agents available for clients/servers which then the distributed IDS >> > could use to capture activity? i.e network activity etc between it and >> > the compromised host. Ie say there was an attack, the distributed IDS >> > master sensor will "say" to the agent on 10.0.0.2 "record all >> > communications you have with 81.1.1.1 and then forward it to me". >> > >> > This way greater visibility is given into the attack providing greater >> > forensic information. especially if encyrption is then used to hide >> > attack responses, backdoors, whatver. The agent perhaps could then be >> > used in some sort of active response on the client but ideally just a >> > small capture agent. This would give more attack information, >> > confirmation if the attack was successful. >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Discussion mailing list >> > Discussion at openinfosecfoundation.org >> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> _______________________________________________ >> Discussion mailing list >> Discussion at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion >> > > > _______________________________________________ > Discussion mailing list > Discussion at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion > > -- _______________________________ Jaime Blasco www.ossim.com www.alienvault.com Email: jaime.blasco at alienvault.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090403/ca8277c6/attachment.html