[Dshield] Remote incident handling tool

Mark markt442 at yahoo.com
Thu Dec 1 12:04:14 GMT 2005


Look at "Helix" a distro that already has a lot of the
tools you are looking for. It was developed by the
folks at e-fense. www.e-fense.com/helix/ 

It is based on knoppix, there are others that are
based on kanotix such as Auditor.

If this is a "for profit" effort, you may want to
check the license on the distros before going forward
- e.g. GPL. If the distro is released under GPL you
may want to take a hard look at how it would be used.

Alternatively you could use VMWare Player, but still
be aware of GPL or GNU licensing for any open source
tools you intend to use.

Google on "knoppix" and you'll find plenty of
well-known and some obscure knoppix distros that are
built "for purpose". Some of these sites have good
documentation and may save you some time.

Good luck!


From:	"Pete Cap" <peteoutside at yahoo.com>
Subject:	[Dshield] Remote incident handling tool
Date:	Mon, 28 Nov 2005 11:13:53 -0800 (PST)
To:	list at lists.dshield.org

 For a while now where I work we have been kicking
around an idea which 
might pay off in spades if we can get it to work
 For starters, let me just say that we don't have the
time or resources 
to send a team out every time a customer gets rooted. 
Ideally we would 
send four people out there, image the compromised box,
pull down all 
the router/firewall/system logs, map the network, run
nessus against 
everything, and leave a honeypot and/or sniffer for a
while to see if the 
bad guy comes back.  These data are valuable but we
just don't have the 
personnel to get them, and if we rely on on-site IT
department to 
handle it for us they mess it up somehow 100% of the
time (not a knock on 
them, their expertise just lies in other areas).
 So, we came up with this solution.  Hopefully you
folks can help us 
tear this down and build it into something worthwhile.
 I'm looking for 
pointers on the overall schema as well as technical
criticism, so have 
at it.
 What we're going to do is create a Linux LiveCD
containing all the 
tools we want  (snort, nessus, cheops-ng, etc.) in an
ISO.  The on-site IT 
guys download it from our website, burn it to a CD,
pull out a spare 
box and boot from the CD.  Now, this CD will have some
capability to 
where we can remotely administer it--so we will be
able to tunnel into 
their network and perform our scans, capture packets,
get a network map, 
gather logs, and so forth.  Data could be stored on
the box's hard drive 
for later retrieval, stored temporarily and pulled
back across the net, 
or pushed to a waiting server on our end at regular
intervals.  Our 
connection to the remote box would have to be secure
(SSH or a VPN or 
something).  When the incident is mitigated, then the
remote site pulls out 
the CD and unplugs the box.
 We would need to set it up so that while the ISO was
available, not just anyone could use it (or at least,
not to exchange 
information with the "home base" network).  I'm
thinking some application of 
public key encryption, or a secure one-time key
generated for each 
 Does this sound technically feasible?  What are the
obstacles to 
overcome that you can forsee?  What Linux distro do
you think we should base 
it on?  What tools should we include?
 Thanks in advance for all input.

Yahoo! Mail - PC Magazine Editors' Choice 2005 

More information about the list mailing list