.

Internet Storm Center

<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Thu Mar 29, 2007 8:47 pm

Internet Storm Center

For anyone not familiar, Internet Storm Center (ISC) is a great way to keep track of the current condition of the internet.  Each day a different administrator is assigned to keep diary entries.  These entries vary from current attack vectors, to discussions of critical patches for various OS' and applications.  The ISC also contains a list of the top 10 ports being attacked and a world map depicting attack trends. 

The ISC is a resource that helps to paint a picture of what is going on in the cloud, the problem is that most of us have 20 tasks to complete, and even the two minutes needed to browse the site it too much to spare.  Luckily (and if you are running Windows), Tom Liston of Intelguardians, wrote an application that sits in the system tray http://handlers.sans.org/tliston/ISCAlert.zip.

Simply download the .zip file, and double click the .exe.  If you have an environment which restricts executables, simply copy the .exe into C:\Documents and Settings\uuser\Start Menu\Programs\Startup.  In the system tray you will see a small icon of the world, which hopefully will be green, this indicates that everything is normal.  As the threat level increases, the color of the icon changes; for a complete breakdown of each threat level and the color which represents the threat see http://isc.sans.org/infocon.html
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Thu Mar 29, 2007 11:35 pm

Re: Internet Storm Center

For those of you using Yahoo Widgets there are several that monitor ISC.  I prefer the one I developed  ;D which you can find at http://widgets.yahoo.com/gallery/view.php?widget=40554

Although the default skin is rather large the circle skin can be minimized very small. 

Enjoy,
Cutaway
Go forth and do good things,
Cutaway
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Mar 30, 2007 8:06 am

Re: Internet Storm Center

oOoOo, Neato :-D

Will try 'em both out.
<<

jimbob

Post Mon Apr 02, 2007 2:00 am

Re: Internet Storm Center

For info, ISC Internet Threat Level was raised to yellow following the issues surrounding the Windows ANI bug. ISC is a good place to get headlines and links to current topics and worth a visit.

Jimbob
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Tue Apr 03, 2007 7:50 pm

Re: Internet Storm Center

I noticed that and to be honest was a little suprised taht they waited a full day.  When the vuln. was first announced the level was left at green but the next morning it was yellow.  Does anyone know if the the threat level is up to the discretion of the incident handler of the day, or if a governing body at SANS  makes that decision.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Wed Apr 04, 2007 4:29 pm

Re: Internet Storm Center

RichM, you'll find your answer here; *ANI exploit code drives INFOCon to Yellow.
Published: 2007-03-31,
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
The ANI vulnerability has been been of recent concern.  I've been waiting for a few key events to be confirmed before adjusting the INFOCon.  We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,)  FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche.  Symantec focuses on their AV and managed-security-service customers.  FS/ISAC focuses on financial institutions.  The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level.  Now, we have a different landscape.

    * Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
    * The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
    * The number of compromised sites pointing to malicious sites is also on the rise.

Recommendations:

    * Keep anti-virus up-to-date.  So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files.  Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
    * Content-filtering.  If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed.  This will impact your myspace.com browsing experience though.

We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)


BTW, were back to GREEN for now.  :D
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Return to RichM

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software