[Snort-users] ICQ 2000 Siganture and firewall config

Erick Arturo Perez Huemer eperez at ...637...
Wed Oct 18 13:53:00 EDT 2000


As of version 2000a and 2000b of ICQ. The program now has a section called
"Connection" under Preferences that allows you to select "autoconfigure
ICQ".
I noticed this because one of my users was running ICQ on his computer and I
was surprised since I blocked all and allowed only certain traffic.My
surprise came when I noticed that ICQ is using port tcp 21 (automatically
configured) to perform connections. Obviously port 21 is open in my ipchains
rule because I need users to ftp outside sometimes...

Anyone knows a signature for ICQ so at least my IDS (Snort) can tell me whos
using it?

Any suggestion?
Erick A. Perez H.
Asesor de Seguridad Informatica
Grupo TSLC International S.A.
Tel. 223-8327 / Fax 214-9209
email: eperez at ...637...


-----Mensaje original-----
De: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]En nombre de Dragos Ruiu
Enviado el: miércoles 18 de octubre de 2000 1:38
Para: David Harris; snort-users at lists.sourceforge.net
Asunto: IDS deployment {was: Re: [Snort-users] Not able to catch
internal attacks}


On Tue, 17 Oct 2000, David Harris wrote:
> I always thought one of the advantages of IDS systems were that they were
> able to detect attacks coming from the internal network.  But with the way
> the rules are set up this is not going to happen as most signatures are
> based on "Outside -> Inside" or "Inside -> Outside" so its wont log any
> "Inside -> Inside" attacks.


One configuration I like to use occasinally/often is one IDS watching for
stuff
in the DMZ, another wired tighter watching the inside of the firewall for
stuff
from/to the outside and a third IDS system watching for inappropriate
traffic
between local hosts.  Call me paranoid.   But since snort probes are fairly
economical and the CPU use is light enought to be piggybacked on servers
doing other useful work....  multiple IDSes can be a life saver in case of
a good hack where the IDS integrity may be compromised.  Defense by depth
and all is stronger with multiple alarm layers.  This would be one argument
against the utility a central hacking point err... console provides but I'm
not
sure enough of that idea yet to declare it good methodology....  It all
depends
on how much log-check bandwidth you have.

One should always remember that a _good_ attacker will have tools that will
elude all the off-the shelf IDS signature collections... There are literally
dozens available... only by customizing the setup to your specific network
utilization and calling certain kinds of traffic off-limits will you gain
all
the benefits that are available with such alarming systems. Then when the
unwary interloper sends something that crosses one of these booby trap
traffic red-lines you will know.  That final internal to internal IDS will
tell you about insiders (more often a problem than not), or if you already
have a _big_ external  intruder problem. :-)

So the flip side to that is that the good defender will always have defenses
the attacker doesn't know about. The moral of the story is that it is a good
thing to become familiar with the snort rules syntax, and by just using a
canned ruleset you are missing out on the largest portion of the power
of snort.

cheers,
--dr
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Erick Arturo Perez.vcf
Type: text/x-vcard
Size: 559 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001018/cccff29a/attachment.vcf>


More information about the Snort-users mailing list