Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerability Scan 200.127.113.193, 69.93.128.17

from [Kirby Angell] Network Security [Permanent Link]
Subject: Re: Vulnerability Scan 200.127.113.193, 69.93.128.17
Date: Thu, 04 Nov 2004 21:30:43 -0600 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for all the replies and the good information and suggestions.
I'm replying to everyone with one message, because every msg I submit to
this list generates about 50 out of office replies :-).

It is likely that the IP located at The Planet is a compromised box
itself.  The IP in Argentina (not Brazil :-) is probably compromised but
I'm not entirely convinced based on some recon I did on it.  Either way,
a compromised box is just as dangerous so we've banned both the IPs from
all of our networks.

MyNetWatchman sounds a lot like dShield (www.dshield.org).  We'll look
into it, but I have concernes about sending my firewall logs in.  We
were just about ready to do that with dShield when one day on a lark I
typed in one of our corporate IPs into the "Are you cracked?" box.  It
came up with this big red banner saying the IP was an attacker in its
database.  Looking at the lone entry they had for it, it was obvious
that Snort had flagged as a NOOP sled a TLS encrypted SMTP session.

There was only the one record and they had the IP labeled as an
attacker.  The funny thing was that their description of what to do
never mentions the fact that it might be a false positive.  They also do
not, at least on that page, mention any way to get false positives
removed.  Anyway, I can't have one of my customers being listed as
attackers in some system like dShield just because an automated system
thinks a single packet might be naughty.

That's my dShield rant.  It sounds like MyNetWatchman is a little more
discerning than dShield though.

I will look into Snort and how I can use it to build my "watch-list".
So far I'm leaning towards using the firewall connection log I already
get to match against a database of suspect IPs.  I could probably build
that sort of thing with a light bit of scripting.

TJ, Snort-inline can update firewall rules in realtime. The Honeynet
project uses it on their gateways.  Not sure I'd feel comfortable with
an automated system banning IPs.  On the other hand, the scan I
mentioned would not have gotten very far at all if we did use something
like that.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBivPj21unUZAE9MARAqHQAJ99aTvMI7XVKmgx6FXAau/A26mgoACgmN0m
5AQUo8l3qsP02y4rMNUtJRU=
=4dmz
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Maintaining a "watch list", M. Shirk
Next by Date:  Re: Maintaining a "watch list", adriano.carvalho
Previous by Thread:  Re: Vulnerability Scan 200.127.113.193, 69.93.128.17, Ronaldo Vasconcellos
Next by Thread:  Re: Vulnerability Scan 200.127.113.193, 69.93.128.17, Paul Scallan
Indexes:  [Date] [Thread] [Top] [All Lists]