Security Basics mailing list archives
Re: When does a scan attempt become a focused attack?
From: Sebastian Schneider <ses () straightliners de>
Date: Wed, 22 Oct 2003 16:55:20 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Jimmy, actually I guess, every machine within the Internet is checked for several vulnerabilities over and over again. If your server is not vulnerable to those attacks mentioned below, you should focus your IDS to the attacks important. That is adjust your snort to match your environment. It makes no sense to report every attack if you don't need them for statistical reasons. Sebastian On Tuesday 21 October 2003 23:21, Hunt, Jim wrote:
I recently set up snort to look for intrusions and am still learning to sort out all of my alerts. However, I have one that has caught my eye this afternoon and wonder what to do... The scan/attack started about 1/2 hour ago and is still continuing as I type this out. The snort box is Windows and the attacker is happily trying all the basic attempts over and over. The pattern looks very deliberate. Here are the exploits - http://www.snort.org/snort-db/sid.html?sid=1040 http://www.snort.org/snort-db/sid.html?sid=1002 http://www.snort.org/snort-db/sid.html?sid=1256 http://www.snort.org/snort-db/sid.html?sid=983 http://www.snort.org/snort-db/sid.html?sid=1286 We are at 150+ in 35 minutes. Does it really do any good to report him? Here is the whois data - http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w hois.arin.net What is the correct thing to do? Jim Hunt Certified Network & Systems Engineer Northwestern School Corporation Technology Services Manager http://technology.nwsc.k12.in.us http://www.ProWinHost.com | Professional Windows Hosting | Professional Windows Reselling http://www.AlertServ.com | Managed and Incident Windows Server Support | Custom Alerting http://www.NetMon.org | Network Monitoring Tools and Tutorials | Includes MRTG for Dummies ---------- Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange. Northwestern School Corporation - Kokomo, Indiana --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp --------------------------------------------------------------------------- -
- -- Sebastian Schneider straightLiners IT Consulting & Services Metzer Str. 12 13595 Berlin Germany Fon: +49-30-3510-6168 Fax: +49-30-3510-6169 www.straightliners.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/lppYQ7mOWZBxbPcRApqnAJ4+fOgwmdFXxIgPGOSEX1hK/6Q9DQCgyRoQ K4Gwij2gMpmC1guWlndr6V0= =v8t0 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- When does a scan attempt become a focused attack? Hunt, Jim (Oct 21)
- RE: When does a scan attempt become a focused attack? dave kleiman (Oct 22)
- Re: When does a scan attempt become a focused attack? Sebastian Schneider (Oct 22)
- Re: When does a scan attempt become a focused attack? Karma (Oct 22)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- Re: When does a scan attempt become a focused attack? Ivan Hernandez (Oct 23)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- <Possible follow-ups>
- RE: When does a scan attempt become a focused attack? Fields, James (Oct 22)
- Re: When does a scan attempt become a focused attack? salgak (Oct 22)