apachebenchmark-sans-t4 Mailing List for Apache Web Server Benchmark
Status: Alpha
Brought to you by:
rcbarnett
Menu
▾
▴
apachebenchmark-sans-t4 — This is the SANS Local Mentor Program mail-list for the Track 4 course
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(9) |
Oct
(9) |
Nov
(6) |
Dec
(2) |
|---|
|
From: <Rya...@at...> - 2003-12-16 15:35:30
|
Everyone, I wanted to shoot out a quick email to thank you all for a great class! I really enjoyed myself and I hope that our meetings helped to supplement you online courseware. I know that you all have been/will be filling out course evals, but please feel free to email me directly if you have comments on the class. I will keep our mail-list up and running for a few months, so you can send questions and comments to the list as you are preparing for your practicals/test. I wish you all good luck in attaining your GCIH! Thanks again. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > > |
|
From: <Rya...@at...> - 2003-12-02 04:16:35
|
I know this is redundant, but I wanted to make sure that everyone got this email. Please remember to bring an ethernet cable for your laptop. See you on Wed! > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > > -----Original Message----- > From: Barnett, Ryan C. > Sent: Tuesday, November 25, 2003 12:59 PM > To: 'apa...@li...' > Subject: SANS Hacker LMP Weekly Update > > Greetings Everyone, > This is just a reminder that will NOT be meeting tomorrow > night due to the Thanksgiving Holiday. > > We will be meeting next week - Dec. 3rd and we will cover the > following topics: > > Week 10: Dec. 3rd 4.5.5 Pulling it all Together and > Conclusions > > 4.5.6 Appendix > Hackers Workshop-Windows Server > > > > As you can see, we will start the first half of the Hacker > Workshop where I will be running a VMware Windows 2000 server > for you to run exploits against. You will need to bring the > following for the lab - > > 1) Your laptop > 2) The class CDROM > 3) An Ethernet cable > > I will be bringing two hubs so that we can all network > together. It should be fun! > > Have a great Thanksgiving and I will see you next week. > > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > > |
|
From: <mic...@us...> - 2003-11-26 03:22:17
|
Don't have an install of these, but would recommend you also look at http://www.guidancesoftware.com/ EnCase now has a fairly good incident handling capability that is integrated with the forensics product. Watched a demo at the CSI trade show and it looked pretty good. They were able to grab an image of the system under attack remotely without damaging the integrity of the system and then to go through the file strucuture, logs, cache, and open processes and cross check so that you could quickly match potential hostile addresses, changes, and evidence. As I understand it, this system requires an agent program be installed on each system that is covered. The agent allows the remote access. Interesting. Kevin Mahoney at NetForensics could probably be talked into doing a demo for a group -- he's their federal marketier. I've got a cell phone number for him, if you want it. I've got him hooked up for a demo in mid-December and can take notes and give impressions afterwards. At CSI I got the impression that most of these products were being rushed to market quickly and competitively in a relatively short time. I'd expect to see some major holes and unresolved issues when running any of them. None of the vendors I talked to at CSI that offered incident handling software could tell me whether their software might introduce vulnerabilities to a system or whether it had been rigorously tested for code integrity. But then again, I was talking to marketing people that were trying to figure out what they thought I wanted to hear instead of giving the real scoop. ----- Original Message ----- From: Meg Layton <meg...@sy...> Date: Tuesday, November 25, 2003 2:54 pm Subject: [Apachebenchmark-sans-t4] If anyone can help... > I am looking to do an objective competitive analysis on Incident > Manager > products. Does anyone have an install of ArcSight, NetForensics, > or NetIQ > that would be willing to discuss pros/cons and provide personal > experience > insights? > > Thanks in advance > > > > Meg Layton, CISSP > > Herndon Office > Symantec Corporation > Office: > 703-668-8860 > Interoffice: > 6 [703] 8860 > www.symantec.com > > > |
|
From: <mic...@us...> - 2003-11-26 03:22:17
|
New one - might be fun to play with during the lab:
Hello,
I discover a strange but simple buffer overflow in gedit.
I am using RH9,
to demostrate the buffer here is a simple file buffer generator:
===========buffer.c == cut here===============
/*
simple buffer overflow generator by MegaHz me...@me...
*/
#include <iostream>
using namespace std;
int main()
{
int i;
for (i=0;i<=9999999;i++)
{
cout << "A";
}
return 0;
}
===========================================
# g++ -o buffer buffer.c
# ./buffer > lala
# gedit lala
Segmentation fault
#
MegaHz (Andreas Constantinides)
www.megahz.org
www.cyhackportal.com
|
|
From: <Rya...@at...> - 2003-11-25 17:59:11
|
Greetings Everyone, This is just a reminder that will NOT be meeting tomorrow night due to the Thanksgiving Holiday. We will be meeting next week - Dec. 3rd and we will cover the following topics: Week 10: Dec. 3rd 4.5.5 Pulling it all Together and Conclusions 4.5.6 Appendix Hackers Workshop-Windows Server As you can see, we will start the first half of the Hacker Workshop where I will be running a VMware Windows 2000 server for you to run exploits against. You will need to bring the following for the lab - 1) Your laptop 2) The class CDROM 3) An Ethernet cable I will be bringing two hubs so that we can all network together. It should be fun! Have a great Thanksgiving and I will see you next week. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > > |
|
From: <mic...@us...> - 2003-11-19 05:08:18
|
Asp.net has slides from the "Whidbey/ASP.NET v 2.0" presentations given at the 2003 Microsoft Professional Developer Conference. http://asp.net/whidbey/pdc.aspx?tabindex=0&tabid=1 Among the presentations is one that is related to our course materials. Here's the write up from asp.net: ***** ASP.NET: Security Best Practices to Protect Against Hacker Attacks Drill down on techniques used by hackers to attack web applications, and how developers can protect against them with existing ASP.NET web applications. Leave with a checklist of security best practices to follow that will help bullet-proof your applications Download Slides Download Demos http://asp.net/whidbey/downloads/WSV400_olson_Slides.zip http://asp.net/whidbey/downloads/wsv400_olson_Demos.zip ***** One of the hints not in the course materials for preventing SQL injection is to used parameterized stored procedures and/or queries. We use them and the attack mentioned in the course example using fred'; drop table xxxx; -- failed to work on a test server. Slide 8 gives a good example of a SQL injection that is a lot different than the course materials. Also gives an example of using salted hashes (MS thinking like Unix) Lots of good nuggets in this MS presentation and some good links to additional resources. ***** More emphasis on security and better programming this time around. Still I suspect that some of the new features being promoted will be watched closely for future exploit potential. out-of-band data callbacks and bi-directional databinding look like interesting areas for study. Mike |
|
From: <Rya...@at...> - 2003-11-06 16:32:12
|
Hello everyone. We had a small turnout last night (only 4 people)! Oh well, I understand that things come up and you can't make it every week. Speaking of that - I wanted to remind everyone that will NOT be meeting next week. Our next class will be on Wed, Nov 19th. Chapters for the next class - Week 9: Nov. 19th 4.5.2 Keeping Access II - Rootkits and Kernel-level Rootkits 4.5.3 Covering the Tracks I - UNIX, Windows and Networks 4.5.4 Covering the Tracks II - Steganography Also, someone had a question about Windows based tools for Incident Response and Forensics. Foundstone has a bunch of great, free tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subconte nt=/resources/freetools.htm I also uploaded the 3D_Traceroute tool I spoke of to the class website - http://apachebenchmark.sourceforge.net/sans/3D_Traceroute/. It is very small and can run off of a floppy. Talk to you all soon. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > |
|
From: <Rya...@at...> - 2003-10-30 22:59:22
|
Someone asked a question about what is a "salt". Here is a good description - http://packetstormsecurity.nl/docs/hack/hackfaq-99/hackfaq-4.html#ss4.6 4.6 What is a "salt"? To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length, and algorithmically introduced to further obfuscate the one-way hash. On the major operating system covered here, only NT does not use a salt. The specifics for salts for both Unix and Netware systems are covered in their individual password sections. Historically the way cracking has been done is to take a potential password, encrypt it and produce the hash, and then compare the result to each account in the password file. By adding a salt, you force the cracker to have to read the salt in and encrypt the potential password with each salt present in the password file. This increases the amount of time to break ALL of the passwords, although it is certainly no guarantee that the passwords can't be cracked. Because of this most modern password crackers when dealing with salts do give the option of checking a specific account. In addition to password cracking, salts can be used for obfuscating encrypted network traffic. Technically, an attacker could capture encrypted data and compare hashes to try and enumerate data such as usernames/passwords. By using salts, you could log into a system twice using something like SSH and even though you used the exact same credentials, the resulting encrypted network data would not be identical because of the salt. I have also posted the Matrix desktop image for you on the class website (called matrix3.jpg) > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > > |
|
From: <Rya...@at...> - 2003-10-28 17:58:57
|
Greetings Everyone, Here are the chapters for this week - Week 7: Oct. 29th 4.4 Computer and Network Hacker Exploits III 4.4.1 Gaining Access VI - Exploiting Other Errors 4.4.2 Gaining Access VII - Password Cracking 4.4.3 Gaining Access VIII - Shell on Win and Worms We will be covering a Windows/IIS exploit this week and take a look at how the attackers broke in and what they tried to do afterwards. See you tomorrow night! > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > |
|
From: <Rya...@at...> - 2003-10-20 18:00:57
|
Greetings Everyone, Hope you had a good week-end. We will start off this week's class with the last part of the "Preventing Website Defacements" presentation. After that, we will start back up with our VMware Honeypot investigation. We will cover some of the topics from this week's reading - Week 6: Oct. 22nd 4.3.2 Gaining Access II - Session Hijacking and DNS Cache Poisoning 4.3.3 Gaining Access III - Netcat 4.3.4 Gaining Access IV - Buffer Overflows 4.3.5 Gaining Access V - Format String Attacks As I mentioned in last week's email, feel free to bring in your laptops and the CDROM. We can some time to answer some questions and troubleshoot if anyone is having problems getting the tools to work correctly. See you all on Wed. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > > |
|
From: <Rya...@at...> - 2003-10-09 19:10:44
|
Hello Everyone, I hope you enjoyed last nights class. I think that using the "real" VMware Honeypot for our Incident Response scenario will be quite interesting for the remainder of our classes! A few updates - 1) As mentioned last night, I will be out of town on Wed. November 12th - 13th. SANS has me teaching my Securing Apache class at the Network Security 2003 Conference in New Orleans - http://www.sans.org/ns2003/apache.php. We took a vote in class last night and the consensus was to just add on additional class on the end. So now the last class date will be Wed. Dec 10th. If you haven't done so yet - take a look at the class syllabus - http://apachebenchmark.sourceforge.net/sans/SANS%20Hacker%20Techniques%20Syl labus.doc 2) I spoke with Scott about the CDs and he confirmed that we will have them for next weeks class. 3) Feel free to bring your laptops to class. We should be able to test out some of the tools that apply to the chapters we are covering that week. Chapters to review for next weeks class - Week 5: Oct. 15th 4.2.4 Scanning III - IDS Evasion and Vulnerability Scanning 4.2.5 Scanning IV - Web/CGI Scanning and Null Sessions 4.3 Computer and Network Hacker Exploits II 4.3.1 Gaining Access I - Spoofing and Sniffing > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > > > |
|
From: <Rya...@at...> - 2003-10-03 21:02:33
|
Looking at the syllabus, we are going to skip the following two chapters from last week to stay on course - -4.1.7: Linux Workshop -4.1.8: Incident Handling Step by Step Guide You will want to review the Linux chapter if have not used Linux/Unix systems before. This chapter will get you up to speed on using some of the common Linux commands and some general user info. If you are well versed in DOS/commandline mode on Windows, you will pick this up pretty quickly. You will just need to pick up some of the command names to accomplish the same DOS tasks - such as reading a file, moving around through directories, etc... Learning this info in NOT mandatory, however it will help you when we run the Linux Hacker Lab. Here are a few weblinks to some Unix/Linux Cheatsheets you might want to print out and bring to class - - http://www.xminc.com/linux/linuxcheatsheet.pdf - http://www.redhat.com/docs/manuals/linux/RHL-7-Manual/getting-started-guide/ ch-doslinux.html - http://www.rain.org/~mkummel/unix.txt If you do not plan on using VMware (to install a linux host) or installing linux as your base OS, I highly suggest that you download and install Cygwin. This is the "Unix-like" application which installs onto Windows systems and provides a Bash shell for you to interact with. This will provide you with an environment to get used to using unix commands and running applications/tools/scripts. You can download Cygwin here - http://www.cygwin.com/ I have tested a number of common unix hacker tools from within Cygwin and the vast majority of them will compile and run. As for the IR Step by Step Guide, I do suggest that you review it, but I would also review the newly release NIST document for Incident Response - http://csrc.nist.gov/publications/drafts/draft_sp800-61.pdf Thanks. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > > -----Original Message----- > From: Barnett, Ryan C. > Sent: Friday, October 03, 2003 12:34 PM > To: 'apa...@li...' > Subject: LMP Weekly Email > > Greetings everyone, > I have finally received the syllabus for our class (sorry this is late but > I just received it). I have updated it to reflect the correct dates. > Please note, we will NOT be meeting on Wed. Nov 26th as this is the night > before Thanksgiving. We will hold our last class on the following Wed, > Dec. 3rd. > > I have posted the syllabus on our class website. > > Chapters to review for next week - > > 4.2 Computer and Network Hacker Exploits I > 4.2.1 Overview and Reconnaissance > 4.2.2 Scanning I - War Driving, War Dialing, and Mapping > 4.2.3 Scanning II - Port Scanning, Fingerprinting, and Firewalking > > I will be reviewing these chapters as well. Please let me know if you > would be interested in more presentations/demos for the material (similar > to the SNARE presentation from this week). I have also posted the PDF > from this weeks presentation - Catching Intruders with SNARE. > > Thanks. > > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Phone: 202-927-2913 > |
|
From: <Rya...@at...> - 2003-10-03 16:34:21
|
Greetings everyone, I have finally received the syllabus for our class (sorry this is late but I just received it). I have updated it to reflect the correct dates. Please note, we will NOT be meeting on Wed. Nov 26th as this is the night before Thanksgiving. We will hold our last class on the following Wed, Dec. 3rd. I have posted the syllabus on our class website. Chapters to review for next week - 4.2 Computer and Network Hacker Exploits I 4.2.1 Overview and Reconnaissance 4.2.2 Scanning I - War Driving, War Dialing, and Mapping 4.2.3 Scanning II - Port Scanning, Fingerprinting, and Firewalking I will be reviewing these chapters as well. Please let me know if you would be interested in more presentations/demos for the material (similar to the SNARE presentation from this week). I have also posted the PDF from this weeks presentation - Catching Intruders with SNARE. Thanks. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Phone: 202-927-2913 > |
|
From: <Rya...@at...> - 2003-10-01 20:08:58
|
Just wanted to make sure that everyone got the email from Scott. Looks like
we are upgrading :)
I will see you all tonight.
> Most Respectfully,
> Ryan C. Barnett
> SANS: GCFA, GCIH, GCUX, GSEC
> Department of Justice - ATF
> Information Services Division
> Operations Security Team Lead
> Email: Rya...@at...
> Pager: Rya...@sk...
> Phone: 202-927-2913
>
Scott Weil <sw...@sa...>
10/01/2003 11:49 AM
To: meg...@sy...
cc:
Subject: You will be meeting at the Fairfax Courtyard
Marriott
hotel
Hello Margaret,
Dear Fairfax Hacker Techniques Student:
We have received a lot of feedback that the course meeting facilities were
not
adequate, and so we have changed locations.
Sorry for the short notice, but the new facilities are just a few block
away.
You will be meeting at the Fairfax Courtyard Marriott hotel.
http://www.marriott.com/dpp/PropertyPage.asp?MarshaCode=IADFO
Here is a Yahoo! map with the directions:
http://maps.yahoo.com/dd_result?
ed=ZfhqkuV.wikUtl1B6.L5JVpaQ1jLVSGfE1odXSMcdaXcGW6CGzfiyhWW9UJ4lt4AKjuQaGfyr
bqH
dw--&csz=Fairfax%2C+VA&country=us&tcsz=Fairfax%2C+VA&tcountry=us
Could you also take a minute to give me any feedback you have on the
course so
far, and if you still have not received either your course books or
courseware
access, please let me know.
Thank you.
--
Scott Weil
Local Mentor and Instructor Programs
sw...@sa...
(847) 926-0980
----- End forwarded message -----
--
Scott Weil
Local Mentor and Instructor Programs
sw...@sa...
(847) 926-0980
|
|
From: <mic...@us...> - 2003-10-01 03:01:27
|
WindowsXP and VMware If you are running Windows as a host for VMware and planning on installing Red Hat as a guest, you should have a look at the following site - it will save you a lot of needless pain. http://www.faqts.com/knowledge_base/view.phtml/aid/22062/fid/1144 Most of the X desktop files would not load when using a CD recorded properly from a downloaded ISO. I know I went through burning multiple CDs and downloaded images from more than one mirror. Seems the trick is to tell VMware to read the second disk as an ISO image. So when you burn your CD's record the first CD and make sure that you simply copy the ISO file on the second. The faq tells what to do from there. The above got me past the problems I was initially having with xpdf, xsane, xsri, etc not wanting to open or appearing to be corrupt. This may help resolve some of the questions/concerns raised in the first session as to whether VMware worked with WindowsXP/Windows2000. Version 4.0 has bugs, but workarounds. On to the next mind-numbing non-class learning experience. Mike |
|
From: <mic...@us...> - 2003-09-30 20:23:53
|
I vote yes. Mike Michael F. Bowman ISSM/ITM Office of the General Counsel Department of the Navy ----- Original Message ----- From: Rya...@at... Date: Monday, September 29, 2003 2:51 pm Subject: [Apachebenchmark-sans-t4] RE: SANS T4 - LMP Weekly Email > I have a quick question for all of you. After reading this weeks > chapters,I thought I might do a presentation which I have given at > previous SANS > conferences called "Catching Intruders with SNARE" - > http://www.sans.org/sansfire03/nial.php#barnett > > This presentation discusses many techniques used by BlackHats to > break-in > and hide on systems. It shows how you can leverage an open source > toolcalled SNARE to capture audit data, and how to analyze this > data for attack > signatures. I will not focus that much on the too, but rather the > Blackhat's techniques. > > I think this will fit in nicely with the "Incident Examples" > section we had > to review. > > Please let me know a yeah or ney of you would like me to do this. > If the > neys take it, then I will continue with how we did it last week. > > Thanks. > > > Most Respectfully, > > Ryan C. Barnett > > SANS: GCFA, GCIH, GCUX, GSEC > > Department of Justice - ATF > > Information Services Division > > Operations Security Team Lead > > Email: Rya...@at... > > Pager: Rya...@sk... > > Phone: 202-927-2913 > > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > SANS Local Mentor - Track 4 Website: > http://apachebenchmark.sourceforge.net/sans/ > Apachebenchmark-sans-t4 mailing list > Apa...@li... > https://lists.sourceforge.net/lists/listinfo/apachebenchmark-sans-t4 > |
|
From: <Ter...@fw...> - 2003-09-29 23:23:46
|
I'm a "yes" vote! Terri Walker-Cole, CISSP US Fish & Wildlife Service Region 9 IT Security Manager 703-358-1740 voice 703-358-2251 fax ter...@fw... |---------+---------------------------------------------------> | | Rya...@at... | | | Sent by: | | | apa...@li...| | | ceforge.net | | | | | | | | | 09/29/2003 05:51 PM | | | | |---------+---------------------------------------------------> >----------------------------------------------------------------------------------------------------------------| | | | To: apa...@li... | | cc: | | Subject: [Apachebenchmark-sans-t4] RE: SANS T4 - LMP Weekly Email | >----------------------------------------------------------------------------------------------------------------| I have a quick question for all of you. After reading this weeks chapters, I thought I might do a presentation which I have given at previous SANS conferences called "Catching Intruders with SNARE" - http://www.sans.org/sansfire03/nial.php#barnett This presentation discusses many techniques used by BlackHats to break-in and hide on systems. It shows how you can leverage an open source tool called SNARE to capture audit data, and how to analyze this data for attack signatures. I will not focus that much on the too, but rather the Blackhat's techniques. I think this will fit in nicely with the "Incident Examples" section we had to review. Please let me know a yeah or ney of you would like me to do this. If the neys take it, then I will continue with how we did it last week. Thanks. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ SANS Local Mentor - Track 4 Website: http://apachebenchmark.sourceforge.net/sans/ Apachebenchmark-sans-t4 mailing list Apa...@li... https://lists.sourceforge.net/lists/listinfo/apachebenchmark-sans-t4 |
|
From: York, W. <way...@ed...> - 2003-09-29 22:09:59
|
I'll vote "yes". Wayde R. York, CISSP GSEC CSSP-SI Security PM & OPSEC Mgr. EDS SPPS (Security & Privacy Professional Services) Attn: A2S-C60 13600 EDS Drive Herndon, VA 20171 Phone: +01-703-733-2016 Fax: +01-703-733-2047 -----Original Message----- From: Rya...@at... [mailto:Rya...@at...] Sent: Monday, September 29, 2003 5:52 PM To: apa...@li... Subject: [Apachebenchmark-sans-t4] RE: SANS T4 - LMP Weekly Email I have a quick question for all of you. After reading this weeks chapters, I thought I might do a presentation which I have given at previous SANS conferences called "Catching Intruders with SNARE" - http://www.sans.org/sansfire03/nial.php#barnett This presentation discusses many techniques used by BlackHats to break-in and hide on systems. It shows how you can leverage an open source tool called SNARE to capture audit data, and how to analyze this data for attack signatures. I will not focus that much on the too, but rather the Blackhat's techniques. I think this will fit in nicely with the "Incident Examples" section we had to review. Please let me know a yeah or ney of you would like me to do this. If the neys take it, then I will continue with how we did it last week. Thanks. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ SANS Local Mentor - Track 4 Website: http://apachebenchmark.sourceforge.net/sans/ Apachebenchmark-sans-t4 mailing list Apa...@li... https://lists.sourceforge.net/lists/listinfo/apachebenchmark-sans-t4 |
|
From: <Rya...@at...> - 2003-09-29 21:52:18
|
I have a quick question for all of you. After reading this weeks chapters, I thought I might do a presentation which I have given at previous SANS conferences called "Catching Intruders with SNARE" - http://www.sans.org/sansfire03/nial.php#barnett This presentation discusses many techniques used by BlackHats to break-in and hide on systems. It shows how you can leverage an open source tool called SNARE to capture audit data, and how to analyze this data for attack signatures. I will not focus that much on the too, but rather the Blackhat's techniques. I think this will fit in nicely with the "Incident Examples" section we had to review. Please let me know a yeah or ney of you would like me to do this. If the neys take it, then I will continue with how we did it last week. Thanks. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > |
|
From: <Rya...@at...> - 2003-09-29 15:39:55
|
Greetings Everyone, Just a quick reminder of the chapters we will be covering this week - 4.1.4 - The Six Step Approach Part III and Espionage 4.1.5 - Incident Examples 4.1.6 - Law, Crime and Evidence We will also go over some of the Quiz questions from these sections. I have also posted a number of the PDFs any other files discussed last week on the class website. See you all Wednesday. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security Team Lead > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > > |
|
From: mdiamond <ma...@di...> - 2003-09-28 17:11:30
|
HI, I was not able to attend the class last Friday and I was wondering what is the "topic of discussion" for next Wendesday.. Please advise.. Maria Diamond |
|
From: <mic...@us...> - 2003-09-22 21:56:09
|
A fellow class member asked what software could be used on a Mac Laptop to do the same things as VMware. The product was called Virtual PC and was produced by Connectix until earlier this year when Microsoft bought them out. The product is now incorporated into Microsoft Office V.x for Mac Professional Edition suite. Might want to look at the following: http://www.microsoft.com/mac/products/officex/officex.aspx?pid=officex This is what a Navy incident handler uses on a Mac G4 to be able to test suspected malware/virus/worm ladden messages against Linux and Windows systems. Mike Who works for the Navy, but uses Army e-mail for this course |
|
From: <Rya...@at...> - 2003-09-19 20:07:45
|
Greetings Everyone, Hopefully everyone made it through Isabel OK. I will be speaking with Scott Weil over the week-end and will make sure that the coursebooks make it next week for the students who did not receive theirs on Wed PM. Please let me know if you do not receive your SANS/GIAC online account info email today from Scott. Remember that we will be discussing the following Chapters next Wednesday - 4.1.1 - The Emergency Action Plan 4.1.2 - The Six Step Approach - Part I 4.1.3 - The Six Step Approach - Part II Take Care. > Most Respectfully, > Ryan C. Barnett > SANS: GCFA, GCIH, GCUX, GSEC > Department of Justice - ATF > Information Services Division > Operations Security: Unix/Web > Email: Rya...@at... > Pager: Rya...@sk... > Phone: 202-927-2913 > |
|
From: York, W. <way...@ed...> - 2003-09-18 15:26:12
|
Greetings all. Just exercising the list to see that it works. Wayde R. York, CISSP GSEC CSSP-SI Security PM & OPSEC Mgr. EDS SPPS (Security & Privacy Professional Services) Attn: A2S-C60 13600 EDS Drive Herndon, VA 20171 Phone: +01-703-733-2016 Fax: +01-703-733-2047 |
2 messages has been excluded from this view by a project administrator.
