Tag Archives: network intrusion

FreeBSD.org intrusion announced November 17th 2012

Posted on by

The compromise is believed to have occurred due to the leak of an SSH key from a developer who legitimately had access to the machines in question, and was not due to any vulnerability or code exploit within FreeBSD.

via FreeBSD.org intrusion announced November 17th 2012.

We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources.

Persistent Threat Detection on a Budget

Posted on by

It’s staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the culprit who’s been raiding the family fridge. Each step leaves a visible impression of where and how the intruder navigated the kitchen, and their shoe size.

via Persistent Threat Detection on a Budget « Damballa.

To turn on logging in bind use:

# rndc querylog

This puts all DNS queries into /var/log/messages.  Just grep for named and pipe that into some custom perl script or whatever to run against a blacklist.

# grep named /var/log/messages  |  run_my_blacklist_script.pl

What Penetration Testers Find Inside Your Network

Posted on by

Why is network segmentation so important? “Today, there is still more focus on the perimeter than on internal network segmentation. Network engineers don’t realize that one successful social engineering or client-side attack could mean ‘game over’ once the attacker has that foothold,” Sanders says. Segmentation based on asset importance and level of trust is one of the most effective ways to prevent many of the attacks advanced attackers — and even himself — perform once inside a target network, he says.

via Tech Insight: What Penetration Testers Find Inside Your Network – Dark Reading.

Snort :: Home Page

Posted on by

Snort :: Home Page.

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

Arp Cache Poisoning and Packet Sniffing

Posted on by

Arp cache poisoning puts the attacker in position to intercept communications between the two computers. Computer A believes it is communicating with Computer B, but because of the poisoned arp table, the communication actually goes to the attacker’s computer. The attacker can then either respond to Computer A (pretending to be Computer B), or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker. Likewise, the response from Computer B can be captured and logged by the attacker, who has also used Arp poisoning to make Computer B think the attacker’s computer is Computer A. This type of attack is known as Man in the Middle attack.

via Arp Cache Poisoning and Packet Sniffing – ADMIN | The resource for all system administrators.

Packet injection tool suite

Posted on by

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

via nemesis.sourceforge.net – Packet injection tool suite.