'Re: [Sguil-users] PC compromise testing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sguil-users
Subject:    Re: [Sguil-users] PC compromise testing
From:       Bamm Visscher <bamm.visscher () gmail ! com>
Date:       2010-04-09 16:25:38
Message-ID: m2v27492851004090925xf331f22cl429ee2365f55b851 () mail ! gmail ! com
[Download RAW message or body]

I expect Snort + Sguil is a bit overkill for this type of
investigation. You could easily run snort and a simple packet logger
(daemonlogger).

Bamm


On Fri, Apr 9, 2010 at 10:27 AM, Clarence Brown
<clabrown@granitepost.com> wrote:
> I have a WinXP machine that I would like to isolate and monitor the
> network communication. I'm concerned that it may have been compromised,
> but various scans are not coming up clean or with nothing definite.
> There are many applications installed and configured on that machine so
> it's not a trivial task to simply wipe it and reinstall. My "Plan" is to
> use a second PC with 2 NICs running linux and perhaps Snort and Squil to
> intercept all network traffic and report and block anything suspicious
> to see if it's doing anything unexpected.
>
> Basically it's password was somehow reset to a blank, but there are
> several office kittens that periodically find the keyboard facinating
> ... Since it is still running smoothly with normal responsiveness
> (infected PCs I've seen usually exhibit problems) I'm starting to think
> that it's possible I may have inadvertently reset the password myself
> since every time I get up I use ctrl-alt-del to lock the keyboard, but
> sometimes don't fully lock it by hitting Enter, that it's somehow
> possible that I actually set it to blank when I sat back down and just
> reflexively banged in my password (I know that sounds lame, but it's a
> laptop that has several screens, and the login dialog always shows up on
> the smaller laptop screen that's set off to the side that I don't
> usually fully concentrate on.)
>
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Sguil-users mailing list
> Sguil-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sguil-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic