Wish list - Security

This is a discussion on Wish list - Security ; I would like to be able to parse my firewall listings of all the unsolicited traffic I receive, and be able to easily determine just what supposed or possible vulnerability some criminal creep was trying to find or exploit when ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 29

Thread: Wish list

  1. Wish list

    I would like to be able to parse my firewall listings of all the
    unsolicited traffic I receive, and be able to easily determine just what
    supposed or possible vulnerability some criminal creep was trying to find
    or exploit when each was sent. Maybe that's asking a lot, but wait,
    here's more:

    I would then like to know exactly what trojan, virus, worm or other
    malware on a zombie host would be sending those packets, what kinds of
    OS's they might be running on, how (if possible) to directly contact the
    host, and what vulnerabilities that zombied host would likely have, and
    how to exploit any such known vulnerability to stop the zombied host from
    further attacking me and others.

    I'm surely not a rich man, but would consider setting a separate firewall
    server for this purpose if it were possible or doable.

    All suggestions welcome.

    Best wishes.

  2. Re: Wish list

    Newsbox wrote:

    > I would like to be able to parse my firewall listings of all the
    > unsolicited traffic I receive, and be able to easily determine just what
    > supposed or possible vulnerability some criminal creep was trying to find
    > or exploit when each was sent. Maybe that's asking a lot, but wait,
    > here's more:
    >
    > I would then like to know exactly what trojan, virus, worm or other
    > malware on a zombie host would be sending those packets, what kinds of
    > OS's they might be running on, how (if possible) to directly contact the
    > host, and what vulnerabilities that zombied host would likely have, and
    > how to exploit any such known vulnerability to stop the zombied host from
    > further attacking me and others.
    >
    > I'm surely not a rich man, but would consider setting a separate firewall
    > server for this purpose if it were possible or doable.
    >
    > All suggestions welcome.
    >
    > Best wishes.


    I would suggest you do research on firewalls, what they are, what they do
    and what they do not do. Your question suggest a lack of understanding of
    what security is and what it takes to get a secure system. Unless you do
    some studying, you will probably never have a secure system no matter what
    firewall you put in.

    --



  3. Re: Wish list

    On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:

    > Newsbox wrote:
    >
    >> I would like to be able to parse my firewall listings of all the
    >> unsolicited traffic I receive, and be able to easily determine just what
    >> supposed or possible vulnerability some criminal creep was trying to find
    >> or exploit when each was sent. Maybe that's asking a lot, but wait,
    >> here's more:
    >>
    >> I would then like to know exactly what trojan, virus, worm or other
    >> malware on a zombie host would be sending those packets, what kinds of
    >> OS's they might be running on, how (if possible) to directly contact the
    >> host, and what vulnerabilities that zombied host would likely have, and
    >> how to exploit any such known vulnerability to stop the zombied host from
    >> further attacking me and others.
    >>
    >> I'm surely not a rich man, but would consider setting a separate firewall
    >> server for this purpose if it were possible or doable.
    >>
    >> All suggestions welcome.
    >>
    >> Best wishes.

    >
    > I would suggest you do research on firewalls, what they are, what they do
    > and what they do not do. Your question suggest a lack of understanding of
    > what security is and what it takes to get a secure system. Unless you do
    > some studying, you will probably never have a secure system no matter what
    > firewall you put in.


    Thank you for the response. I do not want to insult your analysis at this
    time. And thank you for your (apparent) concern that I will never have a
    secure system. I would invite you to shoot at my system, if that is what
    it would take, except that I do not like "learning the hard way". I have
    had "secure systems" for some years, apparently. And that is not at all
    the focus of my request. What for example are these:?
    port 2 udp
    port 1026 udp
    port 1911 tcp
    ....(and many, many more)

    If you had a pointer to a database of what these probes were for, it would
    really be more to the point of my question than any of you suggestions for
    "studying".

    Sorry, but I don't think you got the "gist" of my request. Thanks, but no
    thanks. Give me a database. Thanks anyway.

  4. Re: Wish list

    Newsbox wrote:

    > On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
    >
    >> Newsbox wrote:
    >>
    >>> I would like to be able to parse my firewall listings of all the
    >>> unsolicited traffic I receive, and be able to easily determine just what
    >>> supposed or possible vulnerability some criminal creep was trying to
    >>> find
    >>> or exploit when each was sent. Maybe that's asking a lot, but wait,
    >>> here's more:
    >>>
    >>> I would then like to know exactly what trojan, virus, worm or other
    >>> malware on a zombie host would be sending those packets, what kinds of
    >>> OS's they might be running on, how (if possible) to directly contact the
    >>> host, and what vulnerabilities that zombied host would likely have, and
    >>> how to exploit any such known vulnerability to stop the zombied host
    >>> from further attacking me and others.
    >>>
    >>> I'm surely not a rich man, but would consider setting a separate
    >>> firewall server for this purpose if it were possible or doable.
    >>>
    >>> All suggestions welcome.
    >>>
    >>> Best wishes.

    >>
    >> I would suggest you do research on firewalls, what they are, what they do
    >> and what they do not do. Your question suggest a lack of understanding of
    >> what security is and what it takes to get a secure system. Unless you do
    >> some studying, you will probably never have a secure system no matter
    >> what firewall you put in.

    >
    > Thank you for the response. I do not want to insult your analysis at this
    > time. And thank you for your (apparent) concern that I will never have a
    > secure system. I would invite you to shoot at my system, if that is what
    > it would take, except that I do not like "learning the hard way". I have
    > had "secure systems" for some years, apparently. And that is not at all
    > the focus of my request. What for example are these:?
    > port 2 udp
    > port 1026 udp
    > port 1911 tcp
    > ...(and many, many more)
    >
    > If you had a pointer to a database of what these probes were for, it would
    > really be more to the point of my question than any of you suggestions for
    > "studying".
    >
    > Sorry, but I don't think you got the "gist" of my request. Thanks, but no
    > thanks. Give me a database. Thanks anyway.


    Well, you can spend into 6 figures and not get everything on your shopping
    list. Also, you may not *want* everything on that list.

    Suppose your software really could tell "what vulnerabilities that zombied
    host would likely have, and how to exploit any such known vulnerability to
    stop the zombied host from further attacking me and others." That changes
    like the wind, but suppose you had something completely accurate. You'd
    still need to round up exploit code, which may be coming from a rather
    unsavory source. I gather you'd like to do that in a completely automated
    fashion as well. That would be dangerous in and of itself, especially as
    you couldn't quantify a new and ever-changing risk, so automation is
    probably the last thing you want. This is a case where you need humans in
    the loop--except that it would take a full-time staff. But suppose you got
    past those difficulties as well. There's an ethics issue involved with
    pushing that exploit button, as well as the fact that you would then be in
    violation of federal law, and likely state laws as well.

    There really is only so much that can be done with automation. You'll find
    that the larger managed security services (Counterpane, etc.) pride
    themselves on the caliber of the people they have in the loop. You might
    spend some time on isc.sans.org. Read through some handler's diaries, learn
    how to submit your firewall logs, look at the port histories, etc. I think
    you might find that site both interesting and instructive.


  5. Re: Wish list

    On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox wrote:
    > On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:


    > > Newsbox wrote:
    > >
    > >> I would like to be able to parse my firewall listings of all the
    > >> unsolicited traffic I receive, and be able to easily determine just what
    > >> supposed or possible vulnerability some criminal creep was trying to find
    > >> or exploit when each was sent.
    > >> ...

    > ...
    > I have
    > had "secure systems" for some years, apparently. And that is not at all
    > the focus of my request. What for example are these:?
    > port 2 udp
    > port 1026 udp
    > port 1911 tcp
    > ...(and many, many more)


    Try:

    http://www.iana.org

    for all such info, and specifically:

    http://www.iana.org/assignments/port-numbers

    for port numbers / services. For example, port 2 udp is:
    compressnet 2/udp Management Utility
    which you'd have to use google for to investigate further.

    Your own system might have an /etc/services file with some
    of this info.

    --
    Dale Dellutri (lose the Q's)

  6. Re: Wish list

    Newsbox wrote:

    > On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
    >
    >> Newsbox wrote:
    >>
    >>> I would like to be able to parse my firewall listings of all the
    >>> unsolicited traffic I receive, and be able to easily determine just what
    >>> supposed or possible vulnerability some criminal creep was trying to
    >>> find
    >>> or exploit when each was sent. Maybe that's asking a lot, but wait,
    >>> here's more:
    >>>
    >>> I would then like to know exactly what trojan, virus, worm or other
    >>> malware on a zombie host would be sending those packets, what kinds of
    >>> OS's they might be running on, how (if possible) to directly contact the
    >>> host, and what vulnerabilities that zombied host would likely have, and
    >>> how to exploit any such known vulnerability to stop the zombied host
    >>> from further attacking me and others.
    >>>
    >>> I'm surely not a rich man, but would consider setting a separate
    >>> firewall server for this purpose if it were possible or doable.
    >>>
    >>> All suggestions welcome.
    >>>
    >>> Best wishes.

    >>
    >> I would suggest you do research on firewalls, what they are, what they do
    >> and what they do not do. Your question suggest a lack of understanding of
    >> what security is and what it takes to get a secure system. Unless you do
    >> some studying, you will probably never have a secure system no matter
    >> what firewall you put in.

    >
    > Thank you for the response. I do not want to insult your analysis at this
    > time.


    Insult all you want, you would only be confirming your ignorance. C'ya,
    chump. Don't come crying to us when your system is hacked.



  7. Re: Wish list

    Greg Metcalfe wrote:

    > Newsbox wrote:
    >
    >> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:
    >>
    >>> Newsbox wrote:
    >>>
    >>>> I would like to be able to parse my firewall listings of all the
    >>>> unsolicited traffic I receive, and be able to easily determine just
    >>>> what supposed or possible vulnerability some criminal creep was trying
    >>>> to find
    >>>> or exploit when each was sent. Maybe that's asking a lot, but wait,
    >>>> here's more:
    >>>>
    >>>> I would then like to know exactly what trojan, virus, worm or other
    >>>> malware on a zombie host would be sending those packets, what kinds of
    >>>> OS's they might be running on, how (if possible) to directly contact
    >>>> the host, and what vulnerabilities that zombied host would likely have,
    >>>> and how to exploit any such known vulnerability to stop the zombied
    >>>> host from further attacking me and others.
    >>>>
    >>>> I'm surely not a rich man, but would consider setting a separate
    >>>> firewall server for this purpose if it were possible or doable.
    >>>>
    >>>> All suggestions welcome.
    >>>>
    >>>> Best wishes.
    >>>
    >>> I would suggest you do research on firewalls, what they are, what they
    >>> do and what they do not do. Your question suggest a lack of
    >>> understanding of what security is and what it takes to get a secure
    >>> system. Unless you do some studying, you will probably never have a
    >>> secure system no matter what firewall you put in.

    >>
    >> Thank you for the response. I do not want to insult your analysis at
    >> this
    >> time. And thank you for your (apparent) concern that I will never have a
    >> secure system. I would invite you to shoot at my system, if that is what
    >> it would take, except that I do not like "learning the hard way". I have
    >> had "secure systems" for some years, apparently. And that is not at all
    >> the focus of my request. What for example are these:?
    >> port 2 udp
    >> port 1026 udp
    >> port 1911 tcp
    >> ...(and many, many more)
    >>
    >> If you had a pointer to a database of what these probes were for, it
    >> would really be more to the point of my question than any of you
    >> suggestions for "studying".
    >>
    >> Sorry, but I don't think you got the "gist" of my request. Thanks, but
    >> no
    >> thanks. Give me a database. Thanks anyway.

    >
    > Well, you can spend into 6 figures and not get everything on your shopping
    > list. Also, you may not *want* everything on that list.
    >
    > Suppose your software really could tell "what vulnerabilities that zombied
    > host would likely have, and how to exploit any such known vulnerability to
    > stop the zombied host from further attacking me and others." That changes
    > like the wind, but suppose you had something completely accurate. You'd
    > still need to round up exploit code, which may be coming from a rather
    > unsavory source. I gather you'd like to do that in a completely automated
    > fashion as well. That would be dangerous in and of itself, especially as
    > you couldn't quantify a new and ever-changing risk, so automation is
    > probably the last thing you want. This is a case where you need humans in
    > the loop--except that it would take a full-time staff. But suppose you got
    > past those difficulties as well. There's an ethics issue involved with
    > pushing that exploit button, as well as the fact that you would then be in
    > violation of federal law, and likely state laws as well.
    >
    > There really is only so much that can be done with automation. You'll find
    > that the larger managed security services (Counterpane, etc.) pride
    > themselves on the caliber of the people they have in the loop. You might
    > spend some time on isc.sans.org. Read through some handler's diaries,
    > learn how to submit your firewall logs, look at the port histories, etc. I
    > think you might find that site both interesting and instructive.


    News box does not want to LEARN anything and does not want to take advise.

    --



  8. Re: Wish list

    Newsbox wrote:

    > I do not want to insult your analysis at this
    > time. And thank you for your (apparent) concern that I will never have a
    > secure system.


    Read and LEARN, CHUMP:

    http://software.newsforge.com/softwa...2.shtml?tid=78

    QUOTE

    The truth is, anti-virus software, firewalls, and intrusion detection are
    only the surface of security. They are all reactive measures that attempt
    to respond to active threats, rather than proactive measures that
    anticipate threats and try to make them harmless. These applications have a
    major role to play, but are not enough in themselves.

    /QUOTE

    I DO want to insult your approach, it will not be effective.

    --



  9. Re: Wish list

    On Wed, 30 Nov 2005 12:27:38 +0000, Dale Dellutri wrote:

    > On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox wrote:
    >> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:

    >
    >> > Newsbox wrote:
    >> >
    >> >> I would like to be able to parse my firewall listings of all the
    >> >> unsolicited traffic I receive, and be able to easily determine just what
    >> >> supposed or possible vulnerability some criminal creep was trying to find
    >> >> or exploit when each was sent.
    >> >> ...

    >> ...
    >> I have
    >> had "secure systems" for some years, apparently. And that is not at all
    >> the focus of my request. What for example are these:?
    >> port 2 udp
    >> port 1026 udp
    >> port 1911 tcp
    >> ...(and many, many more)

    >
    > Try:
    >
    > http://www.iana.org
    >
    > for all such info, and specifically:
    >
    > http://www.iana.org/assignments/port-numbers
    >
    > for port numbers / services. For example, port 2 udp is:
    > compressnet 2/udp Management Utility
    > which you'd have to use google for to investigate further.
    >
    > Your own system might have an /etc/services file with some
    > of this info.


    Thank you. I have indeed seen these before, and is is indeed a starting
    point. I think I'll need to do some considerable homework to get to a
    point where I can even begin to easily correlate what is incoming with
    what might be sending these packets, if that is even possible. I'll also
    be trying to respond to Mr. Metcalf, who makes some important points that
    require response re: ethics and legal considerations. Thanks again.

  10. Re: Wish list

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dale Dellutri wrote:

    > On Wed, 30 Nov 2005 03:33:25 -0500, Newsbox
    > wrote:
    >> On Tue, 29 Nov 2005 23:43:24 -0800, matt_left_coast wrote:

    >
    >> > Newsbox wrote:
    >> >
    >> >> I would like to be able to parse my firewall listings of all the
    >> >> unsolicited traffic I receive, and be able to easily determine just
    >> >> what supposed or possible vulnerability some criminal creep was trying
    >> >> to find or exploit when each was sent.
    >> >> ...

    >> ...
    >> I have
    >> had "secure systems" for some years, apparently. And that is not at all
    >> the focus of my request. What for example are these:?
    >> port 2 udp
    >> port 1026 udp
    >> port 1911 tcp
    >> ...(and many, many more)

    >
    > Try:
    >
    > http://www.iana.org
    >
    > for all such info, and specifically:
    >
    > http://www.iana.org/assignments/port-numbers
    >
    > for port numbers / services. For example, port 2 udp is:
    > compressnet 2/udp Management Utility
    > which you'd have to use google for to investigate further.
    >
    > Your own system might have an /etc/services file with some
    > of this info.
    >

    Yeah, I considered giving those two references, too. But the post was
    already getting long, and the whole standard services thing is so easily
    (and commonly) subverted. /etc/services is used by the library calls seen
    in man(3) getservent, etc. So, Bad Guys can just avoid those calls.

    Striking a balance between getting good starting info out there, which
    everyone dealing with this stuff has to know about (as you've done) and
    confusing many people, which is what I've probably done in the first para
    above, is always tough. Particularly since this isn't a classroom
    environment, face to face conversation, etc. It's hard to judge anyone's
    background.

    I'm certainly not very good at it. I hope I'm not just confusing the issue
    here, but I'll probably risk doing it some more by putting a couple of
    legal caveats into that piece of the thread as well.

    Cheers,

    Greg
    GPG key fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.7 (GNU/Linux)

    iD8DBQFDjkV0euKbcQBl8CkRAjNvAJ4i01p3p/e/bCRiODxQptgNvDndEACdECuH
    ExoDa20O1wu1ghP5QiQO2cw=
    =fBi7
    -----END PGP SIGNATURE-----

  11. Re: Wish list

    On Wed, 30 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
    <4qGdnRaAdahI_hDenZ2dnUVZ_sOdnZ2d@acadia.net>, Newsbox wrote:

    >>> I would like to be able to parse my firewall listings of all the
    >>> unsolicited traffic I receive, and be able to easily determine just what
    >>> supposed or possible vulnerability some criminal creep was trying to find
    >>> or exploit when each was sent.


    Keep that last part in mind

    >>> I would then like to know exactly what trojan, virus, worm or other
    >>> malware on a zombie host would be sending those packets,


    windoze malware du jour

    >> how (if possible) to directly contact the host


    man whois but it's HIGHLY unlikely you'll contact the responsible party.

    >>> how to exploit any such known vulnerability to stop the zombied host from
    >>> further attacking me and others.


    Get your dictionary out, and look up the word "vigilante", then contact your
    lawyer and see how you would be considered differently from the "criminal
    creep" you referred to above. Got any kids? Does the younger one saying
    that the older one started it (or vice versa) make any difference when you
    are disciplining them for doing something st00pid? Watch NFL football?
    Ever notice how often it's the idiot who retaliates who draws the flag, not
    the instigator?

    >What for example are these:?
    >port 2 udp
    >port 1026 udp


    RFC0768 User Datagram Protocol. J. Postel. Aug-28-1980. (Format: TXT=5896
    bytes) (Also STD0006) (Status: STANDARD)

    Short and sweet - then do a little research on Messenger spam at google,
    and discover how the spammers are spoofing source IP addresses. Your
    counter-attack would probably be aimed at an innocent party, who might NOT
    be as foolish as you, and complain directly to your ISP.

    >Sorry, but I don't think you got the "gist" of my request.


    We do. Your firewall is blocking this **** - IGNORE IT. You are not the
    mighty avenger who is going to clean up the world.

    Old guy

  12. Re: Wish list

    Newsbox wrote:

    > I'll need to do some considerable homework


    Duh, My original suggestion. You will probably find that the points that you
    have dismissed are indeed valid.

    Good Luck, chump.

    --



  13. Re: Wish list

    Moe Trin wrote:

    > On Wed, 30 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in
    > article <4qGdnRaAdahI_hDenZ2dnUVZ_sOdnZ2d@acadia.net>, Newsbox wrote:
    >
    >>>> I would like to be able to parse my firewall listings of all the
    >>>> unsolicited traffic I receive, and be able to easily determine just
    >>>> what supposed or possible vulnerability some criminal creep was trying
    >>>> to find or exploit when each was sent.

    >
    > Keep that last part in mind
    >
    >>>> I would then like to know exactly what trojan, virus, worm or other
    >>>> malware on a zombie host would be sending those packets,

    >
    > windoze malware du jour
    >
    >>> how (if possible) to directly contact the host

    >
    > man whois but it's HIGHLY unlikely you'll contact the responsible
    > party.
    >
    >>>> how to exploit any such known vulnerability to stop the zombied host
    >>>> from further attacking me and others.

    >
    > Get your dictionary out, and look up the word "vigilante", then contact
    > your lawyer and see how you would be considered differently from the
    > "criminal
    > creep" you referred to above. Got any kids? Does the younger one saying
    > that the older one started it (or vice versa) make any difference when you
    > are disciplining them for doing something st00pid? Watch NFL football?
    > Ever notice how often it's the idiot who retaliates who draws the flag,
    > not the instigator?
    >
    >>What for example are these:?
    >>port 2 udp
    >>port 1026 udp

    >
    > RFC0768 User Datagram Protocol. J. Postel. Aug-28-1980. (Format:
    > TXT=5896
    > bytes) (Also STD0006) (Status: STANDARD)
    >
    > Short and sweet - then do a little research on Messenger spam at google,
    > and discover how the spammers are spoofing source IP addresses. Your
    > counter-attack would probably be aimed at an innocent party, who might NOT
    > be as foolish as you, and complain directly to your ISP.
    >
    >>Sorry, but I don't think you got the "gist" of my request.

    >
    > We do. Your firewall is blocking this **** - IGNORE IT. You are not the
    > mighty avenger who is going to clean up the world.
    >
    > Old guy


    begin Curly voice> Hey Moe!
    Last time you and I posted to the same thread was, I think:
    http://groups.google.com/group/comp....thread/thread/
    66226423ddc7b208/8cf33a82ffa60352?lnk=st&q=Old+Guy++Greg+group%3Acomp.os.
    linux.security&rnum=1&hl=en#8cf33a82ffa60352

    You were the voice of reason. Helpful, friendly. Insert more positive
    adjectives here.

    I think the context here is that we've got a relative newcomer to the field,
    who's been looking at some logs, is just mad as hell, and wants to learn
    enough to *do* something.

    It's actually kind of refreshing, after a couple of days of dealing with
    people who not only don't know their Win boxes are Own3d, but don't seem to
    care. I seriously glad that I don't have to deal with that all the time.

    FWIW, I've had a personal mail from Newsbox, as his Usenet server is in a
    state of at least intermittent borkenness at the moment. He seemed a pretty
    reasonable guy in that mail, despite the tone of the first post. I'm a huge
    believer in cutting New Guys some slack. A percentage of them figure out
    how things work, socially and technically, and end up contributing all
    sorts of great stuff. That applies whether it's a new would-be contributor
    to an Open Source project, Usenet, or whatever.

    Sorry if this sounds like a rant. It's not intended to be. I've just spent
    half the day, and will probably spend much of the evening, grovelling
    through some old LKML threads, on a client project. All that flamage hurtz
    my brane. All week, it's been one daymare after another.

    Ah, well. Off to start the coffee maker, and visit alt.sysadmin.recovery,
    wherein I will re-learn that Life, if not Good, is at least a Damned Sight
    Better than I Thought. Then I can get back to work. Yes, I admit that when
    you're depending on the Scary Devil Monastery for your sanity, something is
    fundamentally borken, at a weird Lovecraftian level.

    --
    GPG fingerprint: 95B3 2BDD 9152 1E7D A240 37C1 7AE2 9B71 0065 F029

  14. Re: Wish list

    Newsbox wrote:

    > I would like to be able to parse my firewall listings of all the
    > unsolicited traffic I receive, and be able to easily determine just
    > what supposed or possible vulnerability some criminal creep was
    > trying to find
    > or exploit when each was sent. Maybe that's asking a lot, but wait,
    > here's more:
    >
    > I would then like to know exactly what trojan, virus, worm or other
    > malware on a zombie host would be sending those packets, what kinds
    > of OS's they might be running on, how (if possible) to directly
    > contact the host, and what vulnerabilities that zombied host would
    > likely have, and how to exploit any such known vulnerability to stop
    > the zombied host from further attacking me and others.


    Look up tar pit.


    >
    > I'm surely not a rich man, but would consider setting a separate
    > firewall server for this purpose if it were possible or doable.
    >
    > All suggestions welcome.
    >
    > Best wishes.


    --
    "There is a word in Newspeak," said Syme.**"I*don't
    know whether you know it: duckspeak, to quack like
    a duck.**It is*one*of*those*interesting*words*that
    have two contradictory meanings.**Applied*to*an
    opponent, it is abuse; applied to someone you agree
    with, it is praise."
    ****-George*Orwell*"Nineteen*Eighty-Four"


    Cheerful Charlie

  15. Re: Wish list

    On Wed, 30 Nov 2005 02:43:53 -0800, Greg Metcalfe wrote:

    [...]
    >
    > Well, you can spend into 6 figures and not get everything on your

    shopping
    > list. Also, you may not *want* everything on that list.
    >
    > Suppose your software really could tell "what vulnerabilities that

    zombied
    > host would likely have, and how to exploit any such known

    vulnerability to
    > stop the zombied host from further attacking me and others." That

    changes
    > like the wind, but suppose you had something completely accurate.

    You'd
    > still need to round up exploit code, which may be coming from a rather
    > unsavory source. I gather you'd like to do that in a completely

    automated
    > fashion as well. That would be dangerous in and of itself, especially

    as
    > you couldn't quantify a new and ever-changing risk, so automation is
    > probably the last thing you want. This is a case where you need humans

    in
    > the loop--except that it would take a full-time staff. But suppose you

    got
    > past those difficulties as well. There's an ethics issue involved with
    > pushing that exploit button, as well as the fact that you would then

    be in
    > violation of federal law, and likely state laws as well.
    >
    > There really is only so much that can be done with automation. You'll

    find
    > that the larger managed security services (Counterpane, etc.) pride
    > themselves on the caliber of the people they have in the loop. You

    might
    > spend some time on isc.sans.org. Read through some handler's diaries,

    learn
    > how to submit your firewall logs, look at the port histories, etc. I

    think
    > you might find that site both interesting and instructive.


    Thanks for good discussion and suggestions. Your comments are all well
    taken, and noted. Particularly outstanding are the ethics / legal
    issues, as well as "unsavory...".

    I want to say and stress that I have no intention of doing anything
    unethical and certainly not illegal. Nor do I want to break anyone's
    systems. On the other hand, if someones' boxen are compromised,
    hypothetically, it might be a very good favor to let them know about it.
    And I was really thinking more in terms of (something like) being able
    to
    send someone an IM, and I'm not really sure if doing that or some kind
    of
    popup would be unethical or illegal. I suppose that even an unsolicited
    IM or popup _could_ break something on some system, even without
    malicious intent, or could be considered an intrusion. I would be
    interested in exploring or knowing the relative propriety / ethics /
    legality of sending an IM or popup message in response to some
    particular unsolicited traffic from that same IP address. "Exploit"
    and "vulnerability" are probably poor semantic choices, and in a more
    polite society we would all ideally never even send unwanted messages.
    Agreeable and agreed. That is surely the safest and least
    controversial; it may well also be the only legal option, I don't know.

    I feel quite sure there are very many very high quality people working
    in security concerns, and I am equally sure they will be well needed
    for quite some time in the future. I am grateful to you for not
    letting this point go unnoticed or unmentioned. I mean no disrespect
    by my questions, and they are absolutely only hypothetical.

    A few others:
    I have been submitting logs for years to mynetwatchman, and recently
    planned to switch over to the isc-sans submission, ran into a snag or
    interruption and haven't gotten back to it yet. Aggregated logs are
    surely an important tool and I agree that is a worthwhile thing for
    everyone to do.

    The sans port details are indeed the best source I have found for these
    details, are well organized and easy to use. They do take some time,
    naturally, to digest.

    Agreed, complete or completely accurate data are not possible and
    shouldn't be a goal. Also agreed with your discussion of automation.

    If it is categorically illegal to send a response of any kind to
    unsolicited traffic, then the whole idea is DOA. Without exploring, I
    don't know that there isn't some ethical, legal middle ground here.

    I acknowledge with thanks your many other thoughts and particularly
    endorse your suggestion to read the isc.sans.org diaries. And there are
    surely large difficulties and pitfalls in any possible active effort. I
    appreciate your time and thoughts. Thanks again.

    --------------------------------------
    PS to group.

    I wrote the above yesterday, but could not post to or read the group
    directly. I regret that I was not able to respond in a timely way to
    each of the good suggestions and sincere responses written here. I
    believe I have read them all. Thank you.

  16. Re: Wish list

    On Wed, 30 Nov 2005 19:07:55 -0600, Moe Trin wrote:

    > On Wed, 30 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
    > <4qGdnRaAdahI_hDenZ2dnUVZ_sOdnZ2d@acadia.net>, Newsbox wrote:
    >
    >>>> I would like to be able to parse my firewall listings of all the
    >>>> unsolicited traffic I receive, and be able to easily determine just what
    >>>> supposed or possible vulnerability some criminal creep was trying to find
    >>>> or exploit when each was sent.

    >
    > Keep that last part in mind
    >


    Sure, ok, I got it groked in...

    >>>> I would then like to know exactly what trojan, virus, worm or other
    >>>> malware on a zombie host would be sending those packets,

    >
    > windoze malware du jour
    >


    You are undoubtedly 100% correct. I was looking for a fairly easy, quick
    and accurate way to specific information. Your generalization is
    at least fast and correct, I believe.

    >>> how (if possible) to directly contact the host

    >
    > man whois but it's HIGHLY unlikely you'll contact the responsible party.
    >


    Thanks for the tip. I was actually already familiar with "whois", but
    possibly not all readers were. And then there's the part about the low
    contact success. It's sad, but "whois" really isn't much help in most
    cases, as necessary a utility as it may be. You have given better tips in
    the past.

    >>>> how to exploit any such known vulnerability to stop the zombied host from
    >>>> further attacking me and others.

    >
    > Get your dictionary out, and look up the word "vigilante", then contact your
    > lawyer and see how you would be considered differently from the "criminal
    > creep" you referred to above. Got any kids? Does the younger one saying
    > that the older one started it (or vice versa) make any difference when you
    > are disciplining them for doing something st00pid? Watch NFL football?
    > Ever notice how often it's the idiot who retaliates who draws the flag, not
    > the instigator?
    >


    Right! Agreed. I guess I let myself open for that blast. Please kindly
    read my response to Greg Metcalfe's kind (first) message, (written
    yesterday but only posted today) in which I hope my motives and intentions
    are more clearly made. I tried there to be very carefully descriptive in
    discussion of ethics and legality, but may not have done it clearly enough
    yet. I don't break into houses and steal peoples' stuffs, and I don't
    break into people's computers and steal their stuffs (or break them).

    I accept responsibility for failing to properly express myself the first
    time, and hold you blameless for moral indignation. You did seem to
    manage to misunderstand what I did feel I wrote clearly, so I'm assigning
    you a share equal to any of my own for any misunderstanding. I regret and
    cannot accept responsibility for a society and "network mindset" in which
    the only descriptive terms are highly pejorative like "exploit" and
    "vulnerability". That does make it harder to write clearly.
    In my opinion, when the only operative words available are "buzzwords",
    then most of the thought process is excluded from the discussion by
    default.

    Get your dictionary out, and look up the word "love". That modern word
    was once represented by at least four words: storge, philia, eros and
    agape. The woman I "love" likes to use e-mail, go shopping on-line and
    surf the web. She likes to use Microsoft Windows OS's, uses Windows at
    work, and doesn't feel comfortable with my *nix systems. And I want her
    to be happy. Period. I think you know where this is going, which is that
    all of these random attacks are interfering with my peace of mind and
    domestic tranquility, and cutting heavily into my free time. In short,
    Sir Moe, I am motivated.

    >>What for example are these:?
    >>port 2 udp
    >>port 1026 udp

    >
    > RFC0768 User Datagram Protocol. J. Postel. Aug-28-1980. (Format: TXT=5896
    > bytes) (Also STD0006) (Status: STANDARD)
    >
    > Short and sweet - then do a little research on Messenger spam at google,
    > and discover how the spammers are spoofing source IP addresses. Your
    > counter-attack would probably be aimed at an innocent party, who might NOT
    > be as foolish as you, and complain directly to your ISP.
    >


    I didn't do the research you ordered. "Fill out a form." I am already
    somewhat familiar with the subject matter to which you refer. Your
    presumption is (I take it) intentionally offensive. If your intention was
    not to offend, you failed and I apologize for a curt (if correct)
    answer. If you seriously want to talk about spoofing, start a new thread.

    >>Sorry, but I don't think you got the "gist" of my request.

    >
    > We do.


    You said earlier:
    "> windoze malware du jour"
    I think you (specifically _you_, as opposed to "you all") didn't. I see
    from other replies that some _did_ get it. Is there more than one of you
    here? Or maybe it's the Royal we. Or if you did get it then you simply
    ignored it, glossed over it with a sweeping generalization, something like
    that. You will probably never see the "devil in the details" if you only
    think and write in generalizations.

    > Your firewall is blocking this **** - IGNORE IT. You are not the
    > mighty avenger who is going to clean up the world.
    >


    With all due and sincere respects and no hard feelings (plus continued
    appreciation of much good help in the past), this does not show your best
    qualities. You have no way of knowing that I have not already saved your
    respected butt and the lives and futures of all your children and cousins
    and sisters and aunts, more than once. For a little while at least. Don't
    thank me, I didn't do it for you specifically. And you would be and are
    welcome anyway. Best wishes.

    > Old guy



  17. Re: Wish list

    On Wed, 30 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
    <4Itjf.92$IU5.1626@news.uswest.net>, Greg Metcalfe wrote:

    >>>>> how to exploit any such known vulnerability to stop the zombied host
    >>>>> from further attacking me and others.


    >I think the context here is that we've got a relative newcomer to the field,
    >who's been looking at some logs, is just mad as hell, and wants to learn
    >enough to *do* something.


    which is why I brought it up as the two children claiming that the other
    one started it. That excuse doesn't fly then, and it won't fly now. The
    line above is what set off that reaction.

    In reality, there isn't that much the O/P can do beyond seeing that the
    firewall rules are reasonable. Complaining to many ISPs, especially the
    ones with tons of zombied dumb user boxes (I could name a few, but I
    won't), is usually a waste of bandwidth.

    Messenger spam? Or indeed most UDP? Waste of time - because it's going
    to be against a spoofed address. Early last month, I turned on tcpdump
    on my home firewall for a seven day period. I was specifically looking
    at 'udp and not port 53'. I was seeing an average of a thousand hits a
    day to ports 1025-1035. Most of the packets claimed to come from Asia,
    but when I did stats on this against the RIR databases, I found that
    about 3 percent were from IP blocks that IANA hasn't assigned to RIRs,
    never mind the RIR assigning/allocating it to anyone. There are about
    3.725e9 available IP addresses, and 2.208e9 of those are assigned or
    allocated by the RIRs (59.3%). Are all of the spammers so st00pid that
    they are using random numbers _including those not allocated_ for their
    source addresses? That's almost as likely as them using their own real
    addresses. Remember some people filter for unbelievable addresses on
    routers. Also, if you've been following Bugtraq, you may have seen the
    articles by Matthias Leisi around the second week of November (subject
    "A day in the life of a spammer" though I'm sure that's not it...
    uggc://zngguvnf.yrvfv.arg/nepuvirf/126-n-qnl-va-gur-yvsr-bs-n-fcnzzre.ugzy).
    The web sites advertised in the messenger spam had ALL been registered
    not more than four days before the spam run, and all are dead now.

    >Sorry if this sounds like a rant. It's not intended to be.


    Not taken as such.

    >Ah, well. Off to start the coffee maker, and visit nyg.flfnqzva.erpbirel


    "never heard of it"

    >wherein I will re-learn that Life, if not Good, is at least a Damned Sight
    >Better than I Thought.


    Are they still publishing that? Last time I was in the doctor's office,
    there were a few issues, along with 'Look' and the 'Saturday Evening Post'.

    >Then I can get back to work. Yes, I admit that when you're depending on
    >the Scary Devil Monastery for your sanity, something is fundamentally
    >borken, at a weird Lovecraftian level.


    I dunno - in some ways it makes you feel better that at least _I_ wouldn't
    be drinking some of _that_ stuff (gur irel vqrn bs terra fgnvaf ba gur
    cbeprynva...) no matter how bad the lusers are. I'm not that desperate yet.

    Old guy


  18. Re: Wish list

    On Thu, 01 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    , Newsbox wrote:

    >You are undoubtedly 100% correct. I was looking for a fairly easy, quick
    >and accurate way to specific information. Your generalization is
    >at least fast and correct, I believe.


    Unfortunately. The stuff tends to morph fairly quickly, so many lists
    that are available tend to be somewhat behind.

    >Thanks for the tip. I was actually already familiar with "whois", but
    >possibly not all readers were. And then there's the part about the low
    >contact success. It's sad, but "whois" really isn't much help in most
    >cases, as necessary a utility as it may be. You have given better tips in
    >the past.


    Simple explanation - whois gets you to the entity assigned the address
    space. If the address is a major ISP such as 'comcast' or 'telus' or
    similar, it is possible (but unlikely) that a message will be sent to
    the box owner. You won't be informed, due to privacy laws and the like.
    The EU is fairly strict about this, and some European ISPs have taken
    that as a reason to /dev/null complaints about users. I used to get
    decent results to complaints sent there. Not any more. If the address
    is an Asian ISP - Korea is particularly bad - even if someone reads the
    complaint, it will be tossed.

    >Right! Agreed. I guess I let myself open for that blast.


    Sorry - the thing that triggered that response was the indication you
    wanted to counter-attack. "how to exploit any such known vulnerability"
    is just plain bad procedure.

    >Please kindly read my response to Greg Metcalfe's kind (first) message,
    >(written yesterday but only posted today)


    and after I had written my response and put it into the queue. That was
    also after your response to matt_left_coast, and Greg and Dale's reply.

    >I didn't do the research you ordered. "Fill out a form." I am already
    >somewhat familiar with the subject matter to which you refer. Your
    >presumption is (I take it) intentionally offensive. If your intention was
    >not to offend, you failed and I apologize for a curt (if correct)
    >answer. If you seriously want to talk about spoofing, start a new thread.


    See the response to Greg Metcalfe above. Most UDP spam seems to be
    from spoofed addresses or zombies where the owner is clueless, the ISP
    ignoring complaints, or possibly from rentals where the provider is
    protected as long as they are not pissing off the national authorities.

    The TCP stuff is much more difficult to spoof because of the 3-way
    handshake and sequence numbers, and in my experience is a worm (or
    skript kiddies acting like one). The two defenses here are not having
    un-needed ports open, and for those ports that are, having servers up to
    date and configured properly.

    >> Your firewall is blocking this **** - IGNORE IT. You are not the
    >> mighty avenger who is going to clean up the world.

    >
    >With all due and sincere respects and no hard feelings (plus continued
    >appreciation of much good help in the past), this does not show your best
    >qualities.


    That reaction was about your counter attack concept. In case you haven't
    twigged, that line really set me off, primarily because I see this all
    to often and like you, I have better things to do. The advice remains.
    There really isn't that much you can do to counter the attacks and spam
    coming in from the world. You can't have anyone arrested in country $FOO
    where the packets came from, because the "attacker/spammer" isn't
    likely to be there, never mind that the authorities tend to put this form
    of crime rather low on the priority list. I'd love to see it happen, but
    it's long past the time when that is possible. Regarding the messenger
    spam, the problem a normal user has is that no matter what their firewall
    does, it's wasted bandwidth. The spammer isn't running a normal daemon,
    and so sending a RST or ICMP Type 3 (even assuming the address isn't
    spoofed) isn't going to do anything productive - the spammer's message
    has been delivered, whether you saw it or not. At work, we've gone to
    the extent of portshifting our outbound DNS queries out of the range
    1025 to (say) 1050, so there won't be any legitimate inbound traffic
    on those ports - then made arrangements with our upstream to simply
    drop all inbound UDP in that port range. This saves on our bandwidth,
    though we've got to pay the provider for the service. (Like many, we are
    charged on a traffic basis.)

    Old guy

  19. Re: Wish list

    On Thu, 01 Dec 2005 14:50:09 -0600, Moe Trin wrote:

    [...]

    > Old guy


    Thank you yet one more time for a very good message. I really wanted to
    dash off a few other notes this PM, and there will probably be a few more
    things happening here shortly. I think language is obviously important to
    good communications, and wanted to thank the gentleman with the duck
    first. If you're still reading later on (sometime?) I'd be happy to try
    to open up some of these things for your additional perspectives, if you
    are still willing. Your kindness, and knowledge, time and interest are
    sincerely appreciated.

    I'll get back. Thanks again.

  20. Re: Wish list

    On Thu, 01 Dec 2005 08:23:52 -0600, wbarwell wrote:

    >
    > Look up tar pit.
    >


    Thank you for reminding me, because that was on my to-do list. If I
    understand, a tar pit is superior to a simple block list or other firewall
    rejection because it delays the rejection and thereby slows the spamming
    (or virus-spreading) host. Presumably this is most effective for TCP
    connections where the hostile host waits for a handshake, and least
    effective for UDP protocol. I found the following pages (more available)

    http://dougal.gunters.org/blog/2004/...pammer-tar-pit

    http://www.hackbusters.net/

    http://catb.org/~esr/jargon/html/T/Turing-tar-pit.html

    I was reminded of "honey pot" which is a somewhat different concept, and
    found these pages (more available)

    http://www.honeynet.org/

    http://www.projecthoneypot.org/

    http://searchsecurity.techtarget.com...551721,00.html

    I hope to learn some more about each, and how they may be useful. Thank
    you!

    Not to detract, but I also found your sig interesting. My newsreader
    normally excludes sigs from replies, but I pasted this one below. Oddly,
    perhaps, I find this uniquely appropriate at this time. Many have heard
    the "walk like a duck" line and even spoken it without knowing its
    connection. I have always thought this was an excellent book, and today
    think it is even more relevant than when it was written. For readers who
    have not read it, please consider reading it at least once. If I remember
    and say it well, Newspeak was the new language mandated by the government
    (or "Big Brother"). It was designed to foster compliance with government
    wishes by, among other things, forbidding the use of certain words. The
    idea is that without using certain words, certain concepts cannot be
    communicated, and the concepts themselves soon disappear from discussion
    and from common thought. This is a profound insight (I think) into how
    language shapes our thoughts (or lack of them).

    ------------------
    "There is a word in Newspeak," said Syme.**"I*don't
    know whether you know it: duckspeak, to quack like
    a duck.**It is*one*of*those*interesting*words*that
    have two contradictory meanings.**Applied*to*an
    opponent, it is abuse; applied to someone you agree
    with, it is praise."
    ****-George*Orwell*"Nineteen*Eighty-Four"


    Cheerful Charlie
    ------------------

    Thank you again, Cheerful Charlie, for your message, suggestion and sig.


+ Reply to Thread
Page 1 of 2 1 2 LastLast