Security Basics mailing list archives
RE: When does a scan attempt become a focused attack?
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 21 Oct 2003 21:56:51 -0400
You are now facing the classic problem for every "new" IDS administrator - what to do with all this great intelligence you are gathering? I do not wish to discourage you from taking any action you feel is appropriate. I myself have, on occasion, taken the time to contact remote system admins to ask that they deal with things. However, I would suggest to you that you keep and eye on it and wait a little while (you indicated that you recently set up snort, so I am assuming you haven't been watching this kind of stuff for long). You will likely find various kinds of scanning occur at least weekly and maybe daily. During a healthy virus outbreak like Blaster when the virus is blinding looking for sites to infect, the number will grow into the hundreds every day. Get comfortable with what's normal for your network. Then you'll be better situated to judge when something really bad is happening. By the way, those signatures are indicative of the Code Red virus trying to spread itself around. Yep, it is still out there... -----Original Message----- From: Hunt, Jim [mailto:Jim.Hunt () nwsc k12 in us] Sent: Tue 10/21/2003 5:21 PM To: security-basics () securityfocus com Cc: Subject: When does a scan attempt become a focused attack? I recently set up snort to look for intrusions and am still learning to sort out all of my alerts. However, I have one that has caught my eye this afternoon and wonder what to do... The scan/attack started about 1/2 hour ago and is still continuing as I type this out. The snort box is Windows and the attacker is happily trying all the basic attempts over and over. The pattern looks very deliberate. Here are the exploits - http://www.snort.org/snort-db/sid.html?sid=1040 http://www.snort.org/snort-db/sid.html?sid=1002 http://www.snort.org/snort-db/sid.html?sid=1256 http://www.snort.org/snort-db/sid.html?sid=983 http://www.snort.org/snort-db/sid.html?sid=1286 We are at 150+ in 35 minutes. Does it really do any good to report him? Here is the whois data - http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w hois.arin.net What is the correct thing to do? Jim Hunt Certified Network & Systems Engineer Northwestern School Corporation Technology Services Manager http://technology.nwsc.k12.in.us <http://technology.nwsc.k12.in.us/> http://www.ProWinHost.com <http://www.prowinhost.com/> | Professional Windows Hosting | Professional Windows Reselling http://www.AlertServ.com <http://www.alertserv.com/> | Managed and Incident Windows Server Support | Custom Alerting http://www.NetMon.org <http://www.netmon.org/> | Network Monitoring Tools and Tutorials | Includes MRTG for Dummies ---------- Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange. Northwestern School Corporation - Kokomo, Indiana --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp ---------------------------------------------------------------------------- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.
Current thread:
- When does a scan attempt become a focused attack? Hunt, Jim (Oct 21)
- RE: When does a scan attempt become a focused attack? dave kleiman (Oct 22)
- Re: When does a scan attempt become a focused attack? Sebastian Schneider (Oct 22)
- Re: When does a scan attempt become a focused attack? Karma (Oct 22)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- Re: When does a scan attempt become a focused attack? Ivan Hernandez (Oct 23)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- <Possible follow-ups>
- RE: When does a scan attempt become a focused attack? Fields, James (Oct 22)
- Re: When does a scan attempt become a focused attack? salgak (Oct 22)