Security Basics mailing list archives
RE: When does a scan attempt become a focused attack?
From: "dave kleiman" <dave () netmedic net>
Date: Tue, 21 Oct 2003 20:02:13 -0400
Jim, What does your incident response policy say to do? And I hope that is not the real WHOIS/IP info you posted, that is not good etiquette. Dave _____________________ Dave Kleiman secure () netmedic net www.SecurityBreachResponse.com "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Hunt, Jim [mailto:Jim.Hunt () nwsc k12 in us] Sent: Tuesday, October 21, 2003 17:22 To: security-basics () securityfocus com Subject: When does a scan attempt become a focused attack? I recently set up snort to look for intrusions and am still learning to sort out all of my alerts. However, I have one that has caught my eye this afternoon and wonder what to do... The scan/attack started about 1/2 hour ago and is still continuing as I type this out. The snort box is Windows and the attacker is happily trying all the basic attempts over and over. The pattern looks very deliberate. Here are the exploits - http://www.snort.org/snort-db/sid.html?sid=1040 http://www.snort.org/snort-db/sid.html?sid=1002 http://www.snort.org/snort-db/sid.html?sid=1256 http://www.snort.org/snort-db/sid.html?sid=983 http://www.snort.org/snort-db/sid.html?sid=1286 We are at 150+ in 35 minutes. Does it really do any good to report him? Here is the whois data - http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w hois.arin.net What is the correct thing to do? Jim Hunt Certified Network & Systems Engineer Northwestern School Corporation Technology Services Manager http://technology.nwsc.k12.in.us http://www.ProWinHost.com | Professional Windows Hosting | Professional Windows Reselling http://www.AlertServ.com | Managed and Incident Windows Server Support | Custom Alerting http://www.NetMon.org | Network Monitoring Tools and Tutorials | Includes MRTG for Dummies ---------- Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange. Northwestern School Corporation - Kokomo, Indiana --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- When does a scan attempt become a focused attack? Hunt, Jim (Oct 21)
- RE: When does a scan attempt become a focused attack? dave kleiman (Oct 22)
- Re: When does a scan attempt become a focused attack? Sebastian Schneider (Oct 22)
- Re: When does a scan attempt become a focused attack? Karma (Oct 22)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- Re: When does a scan attempt become a focused attack? Ivan Hernandez (Oct 23)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- <Possible follow-ups>
- RE: When does a scan attempt become a focused attack? Fields, James (Oct 22)
- Re: When does a scan attempt become a focused attack? salgak (Oct 22)