potential network attacks

["Daniel Handley" <daniel () homepage net>]

Thanks for the quick response from you all i will have a go with ethereal
today.
the reason i have not been using the pix syslog server is the because i
didn't rtfm. i have now set it up using udp and it is logging to ipswitch's
whatsup gold.
this is giving me the valuable information i needed to view incoming and
outgoing traffic. as a test i have logging set for notification giving a
huge amount of data, i will reduce this today but does anyone know of a
utility that give a nice report of the output.
once again thanks in advance
dan

-----Original Message-----
From: Tony Howlett [mailto:thowlett () netsecuritysvcs com]
Sent: 14 December 2001 04:37
To: daniel () homepage net
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] potential network attacks


both snort and ethereal are excellent although snorts kinda a bear to set
up in a windows enviroment.

If you want something quick and dirty, you might also try windump.  it will
accomplish the same as snort without the IDS component.  the outputs a
little harder to read but if all you want to do is watch the packets fly
by, it will do the job just fine.

Good luck!

At 08:41 AM 12/13/2001 +0000, you wrote:
> i wish to check if my network is coming under attack.
> in the last few days we have noticed that the incoming network traffic is
> usually high.
> our web servers are in a dmz located behind a cisco pix 515 6.1(1).
> the servers are nt4 iis with no outstanding items in their log files, or
> additional files that have been ftp'd etc on to them. they are all patched
> up to the hilt and virus scanned regularly.
> using the pdm console on the pix reveals peaks in udp traffic at the time
of
> increased network traffic. this leads me to believe that we have been under
> attack from some one attempting to use the recently exposed vulnerability
in
> w2k via IKE.
> to check my theory (and prove to the boss that i am doing my job) i need a
> packet sniffer to view the traffic entering the network.
> unfortunately i have no budget (or maybe a very small one) and must use the
> dos/windows/nt environment.
> i have been following the discussions recently about snort, ethereal, etc
> but am under pressure to have a result yesterday and so don't have time for
> any evaluation.
> can you please suggest a solution
>
> thanks in advance
>
> dan
>
> in addition does anyone know of a way to get logs (and decipher them) from
> the pix without using the nt syslog server that kills tcp connections when
> disconnected (not any good for web hosting). i intend to use snmp in the
> future but as usual haven't had the time to implement it yet. thanks again.
>
>
>
> Daniel Handley
> Infrastructure Manager, HomePage Ltd
> mailto:daniel () homepage net http://www.homepage.net
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards