Hi Martynas,
A few questions -
1 - What planned changes have happened to the network in recent
weeks (SOE change, patches, permission changes)?
2 - When the workstations are rebooted, how long until the packets
start up? Before the user logs in?
3 - Did the perimeter network security devices record any odd
behaviour in the 24-48 hours prior to the first packets being flooded?
4 - Is there any odd network behaviour between workstations that are
affected, and those that aren't? (If it is something sneaky, you
might be lucky and catch it here)
If it is a sneaky attack targeting the alerted SNORT rule, then your
systems are on their way to being hosed. Good Luck.
Sincerely,
Carl Jongsma
info@beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: 0410 707 444 / 08 8283 1154
Sûnnet Beskerming Pty. Ltd.
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise advanced Information Security research. Sûnnet
Beskerming Pty. Ltd. is an Information Security specialist and, in
conjunction with the tools developed in house, provides total
security solutions and services, from the perimeter to internal data
stores, including web application security and security testing and
analysis.
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
