Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: When does a scan attempt become a focused attack?

From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 21 Oct 2003 21:56:51 -0400
You are now facing the classic problem for every "new" IDS administrator - what to do with all this great intelligence 
you are gathering?  I do not wish to discourage you from taking any action you feel is appropriate.  I myself have, on 
occasion, taken the time to contact remote system admins to ask that they deal with things.  However, I would suggest 
to you that you keep and eye on it and wait a little while (you indicated that you recently set up snort, so I am 
assuming you haven't been watching this kind of stuff for long).  You will likely find various kinds of scanning occur 
at least weekly and maybe daily.  During a healthy virus outbreak like Blaster when the virus is blinding looking for 
sites to infect, the number will grow into the hundreds every day.  
 
Get comfortable with what's normal for your network.  Then you'll be better situated to judge when something really bad 
is happening.  By the way, those signatures are indicative of the Code Red virus trying to spread itself around.  Yep, 
it is still out there...

        -----Original Message----- 
        From: Hunt, Jim [mailto:Jim.Hunt () nwsc k12 in us] 
        Sent: Tue 10/21/2003 5:21 PM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: When does a scan attempt become a focused attack?
        
        

        I recently set up snort to look for intrusions and am still learning to
        sort out all of my alerts.  However, I have one that has caught my eye
        this afternoon and wonder what to do...
        
        The scan/attack started about 1/2 hour ago and is still continuing as I
        type this out.  The snort box is Windows and the attacker is happily
        trying all the basic attempts over and over.  The pattern looks very
        deliberate.
        
        Here are the exploits -
        
        http://www.snort.org/snort-db/sid.html?sid=1040
        http://www.snort.org/snort-db/sid.html?sid=1002
        http://www.snort.org/snort-db/sid.html?sid=1256
        http://www.snort.org/snort-db/sid.html?sid=983
        http://www.snort.org/snort-db/sid.html?sid=1286
        
        We are at 150+ in 35 minutes.  Does it really do any good to report him?
        
        
        Here is the whois data -
        http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w
        hois.arin.net
        
        What is the correct thing to do?
        
        Jim Hunt
        Certified Network & Systems Engineer
        Northwestern School Corporation
        Technology Services Manager
        http://technology.nwsc.k12.in.us <http://technology.nwsc.k12.in.us/> 
        
        http://www.ProWinHost.com <http://www.prowinhost.com/>  | Professional Windows Hosting | Professional
        Windows Reselling
        http://www.AlertServ.com <http://www.alertserv.com/>  | Managed and Incident Windows Server Support |
        Custom Alerting
        http://www.NetMon.org <http://www.netmon.org/>  | Network Monitoring Tools and Tutorials |
        Includes MRTG for Dummies
        
        
        
        ----------
        Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange.
        Northwestern School Corporation - Kokomo, Indiana
        
        
        
        ---------------------------------------------------------------------------
        Visual & Easy-to-use are not words that you think of when talking about
        network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and 
see a new network analysis tool that
        makes the complex - easy
        www.clearsightnet.com/jmp6-downloadtrial.jsp
        ----------------------------------------------------------------------------
        
        
        
        


Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or 
omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue 
Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use 
of the individual or entity to whom it is addressed.  This document may contain material that is privileged or 
protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible 
for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of 
this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK 
YOU.
Previous By Date Next
Previous By Thread Next

Current thread: