[Seattle-SAGE] NSM Presentation slides and notes are up

James Affeld jamesaffeld at yahoo.com
Fri Oct 14 14:43:10 PDT 2005


pdf and openoffice format.  Also included notes, which
I skipped over, which brings me to a pair of "d'oh!"
moments:  should have mentioned there are legal
implications to network monitoring.  Wiretap statutes
may apply.  I added a slide to the beginning.  Proceed
only with authorization and with legal advice.

Also - omitted a bit that would have tied together the
beginning and end, wrapping all in a neat package.

NSM might have helped the SDSC deal with the last
stage of the intrusion, which was a nfs attack called
nfsshell.  It allows someone with one user account to
overwrite files belonging to other users.  I see a
couple of ways NSM data could have helped:

Sancp would have enumerated the connections from
compromised hosts, showing NFS as a possible vector. 
Full content packet capture would have revealed the
attack.  It apparently took a couple of weeks to
figure out; I think this could have sped the process
up.  I will email the author and see if he agrees.

Yahoo! Mail - PC Magazine Editors' Choice 2005 

More information about the Members mailing list