So, uh, ready?
Yeah. Recording.
Okay. It's gonna be, uh, this is gonna be a tag team.
Hurry up.
I need a new test.
So, everyone has heard about introduction detection, and everyone has been playing with it for a long time.
We're not here to talk about introduction detection in general, but, like, give the overall basics,
but other than that, it's gonna be more about misconceptions and how we can look into it, uh, in an overall, in an enterprise,
and how people have been looking into it.
Yeah, people have been saying that, oh, ideas is there, it's gonna protect us, but, you know, not really.
We're not here to discuss about ODAs or something that's considered really cool or anything like that.
Some people might consider this cool, it depends.
Uh, I'll let, I'll start with the next slide because, uh, he starts with a presentation, and then we go about with other kinds of shit.
Okay, what we're gonna talk about here is, you can see the contents, but basically, uh, we did a little survey.
Uh, I asked a lot of people, we tweeted about it, asked some friends and stuff to fill it out based on their companies and stuff
to kind of get an idea of how many people are using IDSs, how many people are using IPSs, and a little bit about how they're using them.
So, how many of you here in your corporations today have an IDS in place?
How many of you have an IPS in place?
How many of you have the IPSs turned on to automatically block?
Yeah, I thought so.
So, what we did is our survey results went out, and there was about a third, a total of about 33 people that did it,
and the first question we asked was, do you know the difference between an IPS and an IDS?
And the vast majority of people said, yeah, we do.
I think we had, uh, only two people out of the 33 say, no, don't know the difference.
We also asked people, would you buy an IPS before you would buy an IDS?
And the results there really shocked me because more people said they would buy an IDS rather than an IPS,
and everybody knows, Gartner said in 2003, IDS is dead.
And the reason Gartner said that was not that the technology was dead, it's just that it was being supplanted by IPS,
and we'll talk a little bit more about that later.
Then we asked them, says, has your company deployed it?
I was really amazed at how few hands went up when we asked it here,
because most, about half the people said, yeah, we've got them in place.
So, we sat there and said, have you enabled the automatic blocking?
And most of them had not.
That's not surprising, because what happens if you enable the automatic blocking on an IPS, you do what?
You prevent the users from doing their jobs.
How many companies really want to do that?
Whether or not you're going to block the user from infecting that system and lots of other systems,
they still don't want to turn that on.
And then, is your IPS management outsourced?
No, most, the vast majority of the respondents said, no, it's not outsourced, that we do manage them internally.
And then we asked people, what was their role?
We had no CEOs or CXOs or anything.
The majority of the people that responded, as you can see, are analysts or engineers.
We had 43% engineers, 30% analysts, some mid-management, a couple managers, no help desk, no C-level people.
Then we kind of talked about, is there a threat detection and mitigation process in place in your company?
Does your company use these tools to do this?
And again, the vast majority said, yep, that's what our company uses them for.
Then we got into, do you look at blended threats?
Because one of the things we're seeing nowadays is more and more of the threats are not single threaded.
They're blended threats.
You get an email, the email's got a link, click on the link, you go to a malicious site.
That's an example of a blended threat.
And IDS, IPS, most of the time is not going to catch that URL coming through the email system across your wire
unless you train it to do that.
And you're not going to do that until somebody detects it.
And one of the things we're going to talk about a little bit later is show you some ways that you can go
and some websites that you can use to kind of help you get that.
And then, do you look at blended threats or emergent threats?
Do you have some kind of process where either you subscribe to someone that provides that as a service
or do you have an internal team to do it?
And the majority of the people said, nope.
We only look at what we, I'm sorry, the majority said, yeah, we do.
And then about 30% said, now we only look at what's inside our network.
So, last boring slide.
Would you prefer a feed?
Would you, if somebody offered a service or a feed that you subscribe to to get this information, would you use it?
And the vast majority said, yes, they would.
And then we asked the people responding, have you personally done this?
Are you doing this?
Is this the job that you do or have done?
And quite a few of them said, yes.
So, I'm going to go real fast through what an IDS, IPS is, a little bit about the differences, the different architectures that are in place.
And I'm going to go through this fairly fast because I've got the sense that most of the people in here know what this is
and I don't want to bore you with bullshit you know.
But I kind of like this cartoon.
All the technology in the world is not going to protect you from what?
A dumb user.
And Chris, I agree 100 percent, man.
We've got to educate them.
So, an IDS and IPS, intrusion detection, intrusion prevention systems.
Primary function, both of them identify malicious traffic.
Both of them do log malicious traffic.
So, the traffic's coming in, it's looking at it, it's inspecting it for various things, and it's logging that.
Now, an IPS will attempt to block it if you tell it to, but you have to enable it like I talked about earlier.
The primary difference is an IDS sits in your network architecture in parallel with the traffic.
It's on a Span port.
It's getting to see everything, but it's not in line like an IPS is so that it can block it.
So, essentially there's four classifications of IDSs, and I'm going to show you a little simple network diagram, you know.
Because I like things simple, because I'm a simple person, to give you an idea.
But they are network-based, better known as NIDS, perimeter, or your PIDs, a VMWare, which is fairly new.
There's a couple companies that come out specifically with VM types.
And then there's the host-based IDS IDS.
And within those four classifications, there's actually two different types, passive and reactive.
And then there's the catch-all, which is a HID, which kind of combines both IPS and IDS technology.
So, what does a perimeter or a network look like?
If you take the diagram here, and you eliminate that NID sitting in the very top, which is on your perimeter,
you've basically got what most companies have today.
You've got your IDS sitting inside on your network, looking at the traffic just going across your network,
and both your DMZ and your internal network.
Perimeter would be having that one on the outside of the firewall only, only looking at the perimeter.
One of the best things you can do is marry the two so that you can see what's trying to get through.
And if you see an IP address sending a lot of malicious stuff that's getting caught and getting blocked,
what you should also do is look at the internal one and see if anything from that address is getting through.
So, virtual. I stole this diagram right off of Sourcefire because they've got this technology.
They're selling it. I can't tell you if it's good, I can't tell you if it's bad,
but it's one of the few that I've seen in my research that actually goes in and is designed to work with virtual systems.
And I can tell you that if you look around, most corporations are virtualizing their infrastructure,
virtualizing their applications, but they haven't quite bought into this yet.
And I think it's a weakness in most architectures.
Post-based, simply endpoint. Every single endpoint has an IDS sitting on it.
Now, we talked about intrusion. There's four classes of them, lo and behold.
Pretty much the same with the exception of they do, they've got one called network-based, behavioral-based analysis.
And I'll talk a little bit about that when I get to it.
And the three detection methods they use, both of them use signatures, both of them do kind of a statistical anomaly base,
and then you've got what they call a state protocol.
Is it HTTP? Does it confirm to the RFC? If it doesn't, trash it.
So network, same thing as before, except instead of being in parallel or off a spam port, it's actually in line.
An IPS is usually in line and almost always in line.
You've also got wireless IPS. You'll see here that you've got three wireless access points and then you've got what's called an IPS.
This is so that that IPS is looking at what kind of traffic and who that traffic's coming from on those other three nodes,
your actual access points, and that's what it's looking for.
It's detecting things and anomalies there and it will try to, if you tell it to, to block it.
Network behavioral analysis is, a lot of times the term heuristics are used, but what it does is you train it,
you put it on the network and you run it there and it looks at your network for a while
and it develops a pattern of what is usual behavior for a system on your network.
You've got a workstation sitting there and that workstation talks to servers.
It goes out, it's client server, does that.
All of a sudden, that workstation starts talking to a whole bunch of other workstations.
A properly trained IPS is going to flag that and say, you've got a problem here, go take a look.
And then obviously the host-based IPS, a lot of host-based are also trained.
You look at what the user's doing. What's the day-to-day activity? What applications does this user use?
All of a sudden, a new application shows up or a new behavior shows up on that endpoint.
It will flag it and tell you about it.
I took this from a very good white paper on SANS.
I don't know how many of you have access to the SANS research work,
but a lot of the guys going for their gold certifications write research papers.
And this is probably one of the best and most distinct descriptions I've seen of how to tell the difference
between what's a false positive, a false or true positive and stuff.
And it's really, really simple.
If it's true and it's positive, that means you've found what you're looking for
and it is a valid thing that should be blocked.
If it's true and it's negative, well, the action looks good, but it really wasn't malicious.
And then you get into the false positive.
Well, it looks like it was there, it's not malicious.
And then a false negative is the event was not detected and no alert was given.
So for architectures, anyhow, for an effective intrusion of the system,
you've got to use multiple types of systems and components.
The architectures come up and what they usually fall into is multiple ways.
One is a single threaded architecture.
Architecture, that means you've got a single IPS sitting out there on the network
looking for everything or a single IDS.
You've got multi-tiered.
That involves multiple systems all reporting back through a single system.
You've got some which use agents, so you put an agent on the system, it reports back in.
And then you've got what's called a peer-to-peer architecture
where multiple sensors are reporting and talking to each other.
Hey, I've seen this traffic. Have you seen this traffic?
Yeah, I've seen that. Let's all block it.
I talked a little bit about a hybrid architecture.
Here again, I went to Sourcefire.
Here's an example of where you've got an IDS and an IPS both combined within a network architecture.
So what's some of the things out there?
Well, I like Gartner.
I worked for a DOD contractor and the government's big on Gartner,
so we looked and saw what Gartner said, and it came up and said,
in networking, the magic quadrant, everybody talks about Gartner's magic quadrant.
It's kind of a salesy thing, but it shows you where the various ones, who's the leader, who's not.
If you're in the business of consulting with clients and stuff,
this is a good source to go to because you can use this to say, well, Gartner said.
Seriously?
Yeah, especially with the government. The government loves Gartner.
You tell them that Gartner says this is a leader in this quadrant, and they'll go in for it.
Yeah, but I think this market is a good place.
Guys.
Best opinion going to buy.
That's what I'm saying. That's it.
I'm not here to argue the positive.
I'm just telling you from my personal experience that if I can show my customer that it's in that upper right-hand quadrant,
that's a plus, and it helps me sell that product, and I get it.
Then there's a thing called a hype cycle.
All of you are familiar with a hype cycle.
That shows you where a certain technology is in various places, according, again, to our friends at Gartner.
If you look at this, and you look up in here, this is what's called the plateau of productivity.
That means things that are in place today, and these are the things that should be being used in technology.
Hits and hits sitting on servers are there.
Network IPS is in what they call the slope of enlightenment.
That's where it's gaining momentum.
More and more people are starting to look at it.
More and more people are starting to do it.
WANIT, WLAN, the wireless ones I talked about are down here.
You see some of the things coming up.
XML firewalls, next-generation firewalls, web application firewalls.
Anybody know the difference between those three other than one's focused on web exclusively?
Because it all sounds pretty much the same to me.
The next generation, I think, tries to combine some of the other functions to talk about, like, I guess, more access.
Okay, so how is that different from, say, like an XML firewall?
It's only XML?
It's only XML.
Okay.
And so web is only what, HTTP, HTTPS?
The next generation, if we get an HTTP access, it also detects and reports.
Okay, cool. Thank you.
So some of the things I talked about aren't on here.
Why aren't they here?
Well, that's because they moved off of the Hive Cycle.
Some technologies are, as Gardner said, dead.
So what are they?
Application and profile.
Well, they moved that into another technology.
It's no longer part of this.
HIPs on PCs, host-based intrusion protection system on PCs, is off of Hive Cycle.
Why?
Everybody's doing it.
Most of the people in here, especially in the federal government, are running something called HBSS,
so they've got HIPs on that endpoint, and everybody's doing it, so it's off the Hive Cycle.
And network IDS?
Network IDS has been taken off of it because it's not being done.
People simply are not doing IDSs anymore, despite what our survey results said.
So what's the business case to make for some of this stuff?
Now, PWC says 83% of the smaller organizations still haven't done this.
Small organizations haven't gotten on the bandwidth.
It's kind of expensive.
You start going out and buying this stuff for every endpoint.
Ninety percent of the organizations have increased their expenditure on IT security technologies.
Why?
What's getting all the press these days, other than TSA?
If you take a search engine, you eliminate TSA from it, what you're going to find,
advanced persistent threats, security threats, identity theft, and all that stuff.
Yeah.
Good point.
So it's the Internet.
Chris talked about it.
It's growing phenomenally.
So you need these types of protections, and a lot of people are starting to do it more at home.
And that's kind of what we're leading up to is where does some of this stuff start?
And with that, I'm going to turn it over to Schrum.
Finally.
Hey.
Now that you know that Gartner is the one who's pointing the finger,
and there are many other people out there who have this big time...
This block is great.
Come this way.
Now that we know that it's like what Chris was also talking about,
it's not just us behind money, or it's not just some people behind money.
It's that everyone is behind money.
And enterprises, of course, they stand behind money for sure.
So not everyone, but there are some big timers who make really good directions out of what brings them money.
So it's not a question of what the next technology is.
It's the question of common sense.
So you have a guy standing right outside, like as a security guard,
you drop a $10 bill near him.
He's going to bend down and take it.
Is that an advanced persistent threat or is that common sense?
I mean, that's how you go about it.
There are many misconceptions, or misconceptions, however you pronounce it.
And I'm from India, so I'm learning.
That's my excuse, too.
And there are many misconceptions that are there in intrusion analysis as such,
that, ooh, intrusion is big time, or, hey, I got a box, so we are protected.
Not really.
No.
If you buy a box, which is worth $20,000, it's just a box that's going to be sitting on your side
if you don't train it to do what it has to do.
So there are some of the topics that have been discussed here that we got to know about from a few people.
Like, they thought that it was the case, but we wanted to say that it's not really the case.
Placement of ideas at different points.
For example, like, there is always an argument, oh, let's place it here, oh, let's place it there.
That gives us more visibility.
Yes, that's true.
It only increases the visibility or changes the visibility according to where you place it.
It's not exactly going to improve your security.
Improvement or making your security better all depends on how you do it or how the people who are doing it are doing it.
Or how trained are your people working in your enterprise and things like that.
Placement of ideas at more than one location, again, improves visibility.
And then placement of ideas behind firewall protects the network.
Well, it minimizes the traffic and reduces the unwanted traffic, but does it really protect your network?
Not really.
It all depends.
I'm not going to say not really on that. It all depends on what kind of attack you're looking at.
Ideas, IPS, is detecting and preventing attacks based on configuration and settings.
Yeah, it's not really magic.
It's something where people have tried it, people have done mistakes, people have documented it.
Cons like GojoCon have always talked about it.
And, you know, it's been going on for years.
So it's all on the learning curve of the person who's doing it as well as the box that they're trying to put it on their network.
Ideas, IPS detection, and prevention can be completely beneficial if they understand exactly what we're trying to say here is more like train the box, make it intelligent.
Don't just throw the box in your network and say that, oh, we have an IDS or we have an IPS at school.
One quick thing on that note there.
One of the former companies I worked for spent a couple million dollars on a product that was one of these behavioral analysis or network and behavior analysis products.
Put it in our network and in the five years that it was in place there, not once did it detect and report or not once did we launch an investigation
and find a malicious activity or what inside the network based upon what we got out of that device.
So, you know, it just depends on you got to train it properly, you got to have it in the right place, and you got to help it know what to look for.
So, I mean, you know all of this.
It's not like something that's completely new, but it's all about common sense.
That's what we are trying to say here.
And threat data, it's awesome if it's shared.
We have always been sharing it.
We have all shared more.
I'm talking in the perspective of like there are many collaborations out there that share threat data.
I'm not talking about comment agencies that share threat data.
I'm talking about other groups also that share threat data.
So, now this is putting the pieces together.
So, how can you analyze from home?
People might always think that analysis is cool.
It requires tools.
Not really.
I mean, it depends on your scope.
So, basically, if you want to analyze a piece of malware, just go across the Internet.
Like just hit a random movie site, free movies.
Google for some free stuff.
You get like the top ten black SEO sites that are listing all kinds of malwares.
So, you have a them.
And then like over there, I gave an analogy just to make it simple.
Just like how food can taste like crap if all the ingredients aren't added at the right proportions.
Threat analysis would lead you to crap if we did not put the right pieces together to take the right direction.
But again, who decides what is the right piece and what's the wrong piece?
It all depends on what you get.
Which piece you get, which piece you're not getting.
So, this is one of the sites, ironhablefingers.com.
And it's been going on for four years.
We have over 4,000 volunteers and approximately 25 project managers who run the show.
And we have been having the largest malicious PCAP repository for a long time.
But we didn't publicize because it was just useful for some people.
This is one of the sites where anyone could go and analyze.
Or like if you want to check out a malicious site, if a malicious site is up or not, like say google.com.
I'm kidding.
And hey, Google is up.
Yeah, but it's much shorter to type.
And the reason why I put it out there is because we are coming up with a suite of tools that is close to 35 websites.
And it's something that's coming in the future.
Now I've got 10 of them in this list.
I just did this in the last two weeks because I couldn't wrap it up before that.
My question is, what kind of request are you sending to the malicious website?
Do you actually intentionally go into the malicious website and do any give requests?
Well, from the server, I do a head request and I can show you the request in the next page.
It's coming on one of the sites.
You can see that header request response where you can actually see what header is going to the server or to the site that you're trying to hit.
So is it wise, like forensic wise to do that?
Because I mean, what if this person doesn't want, basically you can tip your name and say, hey, I'll save those for traffic.
And the attacker will just switch the lane, right?
That's the thing.
That's exactly why we have other places to go to, like draw the traffic from.
So it's not going from this site alone.
The plan is to have other sites across the world where you can send your request from.
So it's not going from a single user basically or single evoFingers.com or dovc8.com if you're planning to use it for malware analysis.
It's not coming from your site.
I'm saying the server, the malicious server is probably expecting certain kinds of traffic. So you're going to send it something that...
Oh, no.
Each time it sends out different kinds of user agents, different kinds of packets.
That's what I was about to show.
Sorry.
No, that's fine.
Unmask base64.
Everyone knows what base64 is and you can use it for encoding and decoding base64 encoder traffic.
And let's go to the next one to answer his question.
Unmask code.
This one again shows you like server status message or status message.
It's like if you want to know if the server is up or not.
In the other case, you wanted to know like, yeah, if the domain is up or not, but at the same time, you're checking for the domain specifically.
Over here, it goes to the level where it checks the server.
And then we find out if the server is up or not based on the response.
Unmask content.
And here you can pull the entire content of a website that you would like to see.
And you just...
So you can just crawl through the entire content.
The only difference is you don't have to do it from your system.
You don't have to do WGIT from your system.
That's the only difference.
Unmask header.
This is what I was talking about.
So over here, you can see like what type of header is being sent as a request and what you receive as a response.
You're blocking the screen.
I'm sorry.
And I keep doing it with Google because I love that.
And yes, I still use Gmail, and it's awesome.
So you sent out that request, right?
So basically, one thing that I was talking about like doing it from multiple sites is because if you do it from a specific site that says somethingsecurity.com,
or if you send out thousands of requests from the same website, any smart bad guy is going to know that.
Like, oh, this guy is trying to hit me.
And unless, of course, you're sending post requests like what he's expecting.
So over here, you just saw that the header changed.
User agent changed and the referrer changed.
I just randomized that.
Wait.
Just came up the same.
That's supposed to be random, though.
I need to fix that.
And the 301 moved permanently.
We hit google.com.
It says that it's moved to http www.google.com.
So that's the response you get.
You said you can change the user agents and button source?
Yes.
You can actually change the user agents.
You can change the referrers.
You can change the, like, if you have Polar in such a way that you have multiple domains across the world,
and you just have a list of domains that you own,
you can send a request from the different domains that you own,
and it has to be coded outside public HTML so that someone is not going to crawl through your site
and find out the list of stuff that you have.
Do you have API version?
Not yet.
I just released this for those who can't.
This was just made this morning at 4 a.m.
So, I mean, honestly, it's not a...
I'm not saying that it's the most stable version because I've been working on this for the past week,
to be honest, on the timing.
I would say two weeks just to show that I worked.
But it took me a week to put 10 sites together.
We already have enough resources, which I'll be demoing soon.
In Evil Fingers, we had around 60,000-plus pages in Evil Fingers in 2009,
including over 1,200 pcaps of only malicious stuff.
Nothing good.
So this one helps you crawl through iframes.
Let me skip this.
You can check it out.
It's the same name, unmaskiframe.com.
It's the same exact name.
So it's just added.com to it.
And this is unmask links.
I can show this.
You can actually crawl through the various links out there, like, in any given page.
And this is useful for our pen testers or malware analysts who would like to know...
Please don't blame me for typing google.com.
Is this like an anonymizer also?
I'm not sure about your question.
Like anonymizer or something like...
So this part can go through you somewhere else.
No.
I can do a retry.
You can do passive reconnaissance through me, but I wouldn't let you connect to someone else through me.
You can't proxy, but the queries do actually come from the server there, not you.
You're talking to the server.
The server's making the request and displaying the response back to you.
So from the standpoint of the site that you're going to, they do not see you.
It's kind of like doing a Google query.
Google sends the information and gives it back to you, but they see Google.
The only difference is I don't look at who's querying or what you're querying.
I don't store it.
I don't have time for that.
I honestly don't.
And I don't like looking into your shit, so...
Like most other people.
I do like what you're typing there, so we're soon going to have what you're querying there,
which, again, I'll put it out as a request to other people saying,
would you like to see what others query?
If you don't, I mean, if you do, then remember that your query will also be placed over there.
If you don't, then it's awesome.
I can just leave it anonymous.
But that's the thing.
So one thing about Eagle Fingers is that none of the volunteers who do not want to know
or show their names outside, they don't get to...
Like, they disappear.
But I hope I'm not speaking like a movie or something.
Like, oh, they disappear.
The same way you get all the scripts in a given page, and this is really useful.
The iframe was also useful because most of the recent attacks that came through
came through hidden iframes or JavaScript attacks that had hidden iframes.
Same way scripts in a given page can be listed over there.
You can check it out from that site.
Unicode decoder, just like it says it decodes the Unicode.
Those are all Ronnie's favorite letters, 0x4141.
So unmask URL.
This is like for tiny URL or something where you have multilevel redirection.
Like, say you go to a malicious site and the malicious site redirects you to some other site.
Or you go to a newspaper site or something that you read on a daily basis.
It has a malicious link on it.
Again, that redirects you.
It's not like a malicious link that is embedded over there that takes you only after you click on it or anything.
Or that directly redirects you from your site.
You'll get to know from this site.
One more thing that I'm currently having issues with with this one right now is that it works on...
I can give you a demo of all these sites from your fingers right now.
And this one has issues with HTTPS.
I'm still trying to fix it.
I did the same code in the other site.
I did the same code in this site.
But after adding all the GUI and all the stuff that makes it prettier for other sites,
it kind of screwed up my code.
So for people who do not want the GUI, I'm going to give a separate version.
You just click on remove my shit and it'll just take you to a non-GUI text-based version
where you can just script it out and API will be provided soon.
That's what we're going to learn.
We'll provide you a script where you can crawl through my site using your site or using your laptop.
I don't care who ever uses the site. I honestly don't.
And fortunately my hosting providers are cool with that.
Give a back-end database, right?
Not right now.
For this one specifically, I'm still waiting for user approval as to whether they want me to save it.
If they don't want me to save it, because this is community-side basically,
and we go by what the community wants.
If most people say don't save it, we don't want to see it, they don't get to see it.
But if there are other people whom I sent it to, too, if they would like to see the links,
it won't send who crawled for it or who saw that because I'm definitely not going to log that information.
I consider that to be completely unethical.
And let me give a demo on evil fingers too, just to give that a scope.
If you still have time.
I have a question for you. Why don't you create all these different, and I'm going to get this a lot myself,
why don't you create all these different domain names, why don't you just do one domain or one service
and do it like radio buttons and other so you can request multiple things.
You type name google.com for all these different things, why don't you say google.com once
and give me all these results from google.com. That seems to be more precise.
That's totally true. I wanted the SEO too.
I wanted the SEO so that I can use this for something else.
Okay.
Well, I guess you should have one that does that.
Super-honest.
Another domain name.
BurningWall.org.
I'll match everything.
So that's some bad design over there because that was me.
And I created it in 2006, and that's something I just put together because I don't like designing.
And that graph has been there since 2006 too. It doesn't make any sense.
I just made it look like that because people want to see images,
so they can come in and check out how many images they want.
Data Breach 1, attrition.
After they started doing, by the way, I don't keep this site up to date anymore.
I still keep it up to date on certain things, which are not publicly viewable,
but I don't keep every single page up to date.
So after they brought in the data last DB, which looks awesomely cool,
I stopped doing the data breach search stuff.
You can search for Ports database that's up to date,
or you just search for whatever port number.
Some people might want to know what exactly is 23, not just Delnet,
but what other kinds of Trojans are possible.
But I don't want to quote any site name.
I'm not going to say that 23 is used only for Trojan.
There are some sites that actually scare people that say, oh, this port is bad.
No, I mean, it doesn't depend on the port.
Nothing depends on the ports. It depends on the guy who's making use of it.
But PCAPS DB, for example, has my hosting provider thought that I was one of the guys
who was hosting Aurora, because on the second or third day,
we got the PCAPS ready and clean, and they took my site down for about a day,
saying that you're hosting Aurora, Project Aurora.
I go, who gave you the conclusion?
Our underwear said that you're hosting Project Aurora.
I was amazed because it couldn't have said Aurora,
because the antivirus at that time didn't have the signature for that.
But it triggered on something else, and he found out online,
and it was kind of interesting.
There are new PCAPS, because I didn't know how to name them.
There's PCAP Challenge, where I had a challenge for people,
but apparently since we got very less response, we just left doing challenges.
PCAP Samples is there.
You can go on any of these, and you can go browse them online, too.
You can check it out by just view online,
and you can see the entire PCAP over there, including the posts and stuff,
how exactly it's going through.
There are projects.
Projects just mean that you can use it online, and this explains what you said.
And decoders, those are all the decoders that I put individually.
And once again, I just did that for SEO.
We can take it offline.
I mean, the discussion, not the site.
DNS RBL, it pings over 80 different RBLs.
It's kind of slow, even if I did multi-threading and multi-core,
it's still kind of slow.
I talked to my hosting provider, and I don't know why.
By the way, this is on a shared hosting service.
This is not any dedicated server where I'm trying to harden my server.
This is on a shared hosting service.
I tried to harden my account from any other shared hosting guy on the same server
trying to attack me from inside, and I tried to harden him from outside.
I'm not saying that it's completely secure.
I'm challenging anyone for that.
IP stuff, that's your IP, and I don't have a database behind and a lot of stuff.
I mean, ICMP stuff, you can actually check out what the various ICMP messages are.
Of course, it's all over the Internet.
You can get the RFC description, as well as, in some cases,
I've also tried putting in how the packet looks,
what each section of the packet are, and things like that.
This is kind of old.
Once again, it's a 2006 release, 2008 release.
There are various tools in here that you can use, too.
I'm not going to go into each of these tools.
Anyway, this is what we do.
Basically, we collaborate around the globe,
and we have people from everywhere who are willing to share stuff
or who are willing to do things for helping the community.
By community, I mean hackers' community.
We try to not advertise or anything like that.
We sponsor over 10 conferences so far.
We need to talk about that.
DeepSec, XCon, anything that might be listed over here.
I don't want to advertise my sponsors, but by the way,
you can do analysis from home, you can do analysis from everywhere.
Threat analysis is something that's cool,
that's something where you need to...
You can't just blame the user for not doing something.
It means that you're not training them well, like what Chris was saying.
Basically, why aren't you training them well?
It could be because we are limited by time or by various other things.
In this talk, we just wanted to say that intrusion is something that you have to look at,
and analysis is something you have to do on a daily basis.
We have a conclusion slide.
IDS and IPS are simply one of the many tools that you can use to secure your networks.
The use of an IDS or IPS is dependent upon what your goal is
and what it is you're really trying to achieve.
As we said, there are some misconceptions that are unavoidable in big enterprises and stuff.
Everybody thinks they know what it is.
But by getting the word out, by educating both at the management level,
at the user level, and at the engineer level,
we do believe that there is a place for these
and that they can be used in your networks and to help you secure your networks.
The reason for discussing threat or in-depth analysis over here is to just say that we can all do it.
We can do it together. We can share data. We can help the community.
It can be made simple, and it should be given enough importance
because the box alone cannot do the job, and we are part of the box.
We train it, and it does our job.
The overall survey and presentation was to discuss how easy intrusion analysis could be
if we just put in more effort on analysis, threat analysis,
and give importance to intrusion analysis, basically.
And this probably applies to me more than most of the people in here,
but one of the reasons for doing this and one of the reasons for getting security right today,
in my mind, is not necessarily for me, but for my next generation, the future generation that comes.
We need to make things a better place for the people that come in behind us.
So, I put a couple references in here, things that I found useful in doing the research for this paper,
for this presentation and stuff, and also a good resource, and this just came out the day before yesterday.
The latest online version of HAC-9 has a couple of very good articles about snort in there,
and I think if you're interested in that kind of thing, go read it,
because everybody knows snort's the basis for our source fire.
Questions? Good.
I'm really liking the fact that people are talking more about analysis,
and humans actually doing a lot of the stuff.
I was talking about yesterday about this whole issue where everybody wants to have some kind of tool,
but at the end of the day, it's all going to have to be smart people that makes the decisions.
Yeah, you can automate some things.
Some things can be automated, but you first have to be able to master it by some person,
or one other man has to master it first, and then we can automate it.
All right, so, our man, Bob, is going to be coming up next.
Bob, ready?
Right now?
Yeah, get it.
You got to come up.
All right, another space camera reference.
All right, next up, Paul is going to, actually, after Paul, after Paul is going to be,
Rob Lough is going to do a talk on distributed denial of service.
I don't know if you all follow Rob Lough, Mike Smith on Twitter.
He's an absolutely smart guy, although he was in the Army.
He was serving.