Sergey,
Tcpdump is your friend ;-)
Get a laptop, install Linux and run tcpdump on the traffic in question
and correllate it to the ISS events. It's a lot of work, but the best
way that I know of. That's what I intend to do, but to do it I'll have
to pull the traffic from the tap that SP is already using, thus
depriving SP. Not an acceptable solution. As is often case, the
Security Team is NOT the Network Team and getting a mirror port off a
switch is akin to getting blood from a turnip. In fact I just had a
conversation yesterday about building a box to duplicate the output
from the tap (yes, I know there are taps with multiple outputs but I
don't have one on hand). I will be hunting around for hardware
shortly...
Jason
--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:
Holger,
Thank you very much for good explanation!
But in my case situation is not so simple: I have TCP_Port_Scan form
A
(in Inet) to B (in LAN) and no other events from A except
TCP_Port_Scans, no events to A, and the same situation with B: no
events
from B and the only events to B are described TCP_Port_Scans.
Unfortunately I don't know what to do, here my imagination stops :-(
May be someone has ideas? Logevidence? ISS doesn't allow to switch
logevidence for desired hosts and if I will log logevidence for all
scans on sensor (it's gigabit) there will be no ability to find right
packets :-(
Thanks
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
