Educause Security Discussion mailing list archives
Re: mynetwatchman participation
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 15 Apr 2004 22:55:24 -0400
Ken De Cruyenaere wrote:
On Thu, Apr 15, 2004 at 09:41:33AM -0500, Barros, Jacob wrote:Is anyone a mynetwatchman agent? I just heard about this service and wanted to know if any of you have experience with it. Any concerns about privacy and/or internal security?
I have it running on my home pc and on one of my office machines, using Zonealarm firewall logs. I have dshield (dshield.org) running on another. I found the Dshield log excerpts (which can be emailed to oneself) quite handy in identifying Blaster infected machines last year.
We have a tarpit (LaBrea) strategically placed in our public IP space that reports to DShield, the daily summaries are nice, as well as their aggregated reports on their web pages. We have another one covering some gaps in our private Resnet space that does not report to Dshield, but e-mails me instead. It is good for catching anything doing local scans. For Blaster/Nachi/etc, we have a script that captures ARP requests a thousand at a time. The results are analyzed and any single host with > "x" (you decide how big "x" is for you) requests, we shutoff their port. This is also pretty good at detecting dsniff/ettercap. Jeff ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- mynetwatchman participation Barros, Jacob (Apr 15)
- <Possible follow-ups>
- Re: mynetwatchman participation Ken De Cruyenaere (Apr 15)
- Re: mynetwatchman participation Jeff Kell (Apr 15)
- Re: mynetwatchman participation Jack Suess (Apr 15)