[Seattle-SAGE] NSM Presentation slides and notes are up
jamesaffeld at yahoo.com
Fri Oct 14 14:43:10 PDT 2005
pdf and openoffice format. Also included notes, which
I skipped over, which brings me to a pair of "d'oh!"
moments: should have mentioned there are legal
implications to network monitoring. Wiretap statutes
may apply. I added a slide to the beginning. Proceed
only with authorization and with legal advice.
Also - omitted a bit that would have tied together the
beginning and end, wrapping all in a neat package.
NSM might have helped the SDSC deal with the last
stage of the intrusion, which was a nfs attack called
nfsshell. It allows someone with one user account to
overwrite files belonging to other users. I see a
couple of ways NSM data could have helped:
Sancp would have enumerated the connections from
compromised hosts, showing NFS as a possible vector.
Full content packet capture would have revealed the
attack. It apparently took a couple of weeks to
figure out; I think this could have sped the process
up. I will email the author and see if he agrees.
Yahoo! Mail - PC Magazine Editors' Choice 2005
More information about the Members