Re: mynetwatchman participation

[Jeff Kell <jeff-kell () UTC EDU>]

Ken De Cruyenaere wrote:

> On Thu, Apr 15, 2004 at 09:41:33AM -0500, Barros, Jacob wrote:
>
> > Is anyone a mynetwatchman agent?  I just heard about this service and
> > wanted to know if any of you have experience with it.  Any concerns
> > about privacy and/or internal security?

> I have it running on my home pc and on one of my office machines,
> using Zonealarm firewall logs. I have dshield (dshield.org) running on another.
> I found the Dshield log excerpts (which can be emailed to oneself)
> quite handy in identifying Blaster infected machines last year.

We have a tarpit (LaBrea) strategically placed in our public IP space
that reports to DShield, the daily summaries are nice, as well as their
aggregated reports on their web pages.  We have another one covering
some gaps in our private Resnet space that does not report to Dshield,
but e-mails me instead.  It is good for catching anything doing local
scans.  For Blaster/Nachi/etc, we have a script that captures ARP
requests a thousand at a time.  The results are analyzed and any single
host with > "x" (you decide how big "x" is for you) requests, we shutoff
their port.  This is also pretty good at detecting dsniff/ettercap.

Jeff

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.