Firewall Wizards mailing list archives
potential network attacks
From: "Daniel Handley" <daniel () homepage net>
Date: Fri, 14 Dec 2001 08:47:19 -0000
Thanks for the quick response from you all i will have a go with ethereal today. the reason i have not been using the pix syslog server is the because i didn't rtfm. i have now set it up using udp and it is logging to ipswitch's whatsup gold. this is giving me the valuable information i needed to view incoming and outgoing traffic. as a test i have logging set for notification giving a huge amount of data, i will reduce this today but does anyone know of a utility that give a nice report of the output. once again thanks in advance dan -----Original Message----- From: Tony Howlett [mailto:thowlett () netsecuritysvcs com] Sent: 14 December 2001 04:37 To: daniel () homepage net Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] potential network attacks both snort and ethereal are excellent although snorts kinda a bear to set up in a windows enviroment. If you want something quick and dirty, you might also try windump. it will accomplish the same as snort without the IDS component. the outputs a little harder to read but if all you want to do is watch the packets fly by, it will do the job just fine. Good luck! At 08:41 AM 12/13/2001 +0000, you wrote:
i wish to check if my network is coming under attack. in the last few days we have noticed that the incoming network traffic is usually high. our web servers are in a dmz located behind a cisco pix 515 6.1(1). the servers are nt4 iis with no outstanding items in their log files, or additional files that have been ftp'd etc on to them. they are all patched up to the hilt and virus scanned regularly. using the pdm console on the pix reveals peaks in udp traffic at the time
of
increased network traffic. this leads me to believe that we have been under attack from some one attempting to use the recently exposed vulnerability
in
w2k via IKE. to check my theory (and prove to the boss that i am doing my job) i need a packet sniffer to view the traffic entering the network. unfortunately i have no budget (or maybe a very small one) and must use the dos/windows/nt environment. i have been following the discussions recently about snort, ethereal, etc but am under pressure to have a result yesterday and so don't have time for any evaluation. can you please suggest a solution thanks in advance dan in addition does anyone know of a way to get logs (and decipher them) from the pix without using the nt syslog server that kills tcp connections when disconnected (not any good for web hosting). i intend to use snmp in the future but as usual haven't had the time to implement it yet. thanks again. Daniel Handley Infrastructure Manager, HomePage Ltd mailto:daniel () homepage net http://www.homepage.net _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address, (continued)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- Re: Blocking at firewall via MAC address Ryan Russell (Dec 15)
- Re: Blocking at firewall via MAC address Jeffrey Macko (Dec 15)
- Re: Blocking at firewall via MAC address Mark Coleman (Dec 15)
- Re: Blocking at firewall via MAC address Roelof JT Jonkman (Dec 22)
- Re: potential network attacks Tony Howlett (Dec 14)
- potential network attacks Daniel Handley (Dec 14)
- Re: potential network attacks Paul Robertson (Dec 14)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Paul Robertson (Dec 16)
- RE: potential network attacks Wayne T Work (Dec 15)
- RE: potential network attacks John Adams (Dec 16)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Shahryar Jahangir (Dec 14)
- RE: potential network attacks Tin Ngo (Dec 15)