Re: Vulnerability Scan 200.127.113.193, 69.93.128.17

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for all the replies and the good information and suggestions.
I'm replying to everyone with one message, because every msg I submit to
this list generates about 50 out of office replies :-).

It is likely that the IP located at The Planet is a compromised box
itself.  The IP in Argentina (not Brazil :-) is probably compromised but
I'm not entirely convinced based on some recon I did on it.  Either way,
a compromised box is just as dangerous so we've banned both the IPs from
all of our networks.

MyNetWatchman sounds a lot like dShield (www.dshield.org).  We'll look
into it, but I have concernes about sending my firewall logs in.  We
were just about ready to do that with dShield when one day on a lark I
typed in one of our corporate IPs into the "Are you cracked?" box.  It
came up with this big red banner saying the IP was an attacker in its
database.  Looking at the lone entry they had for it, it was obvious
that Snort had flagged as a NOOP sled a TLS encrypted SMTP session.

There was only the one record and they had the IP labeled as an
attacker.  The funny thing was that their description of what to do
never mentions the fact that it might be a false positive.  They also do
not, at least on that page, mention any way to get false positives
removed.  Anyway, I can't have one of my customers being listed as
attackers in some system like dShield just because an automated system
thinks a single packet might be naughty.

That's my dShield rant.  It sounds like MyNetWatchman is a little more
discerning than dShield though.

I will look into Snort and how I can use it to build my "watch-list".
So far I'm leaning towards using the firewall connection log I already
get to match against a database of suspect IPs.  I could probably build
that sort of thing with a light bit of scripting.

TJ, Snort-inline can update firewall rules in realtime. The Honeynet
project uses it on their gateways.  Not sure I'd feel comfortable with
an automated system banning IPs.  On the other hand, the scan I
mentioned would not have gotten very far at all if we did use something
like that.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBivPj21unUZAE9MARAqHQAJ99aTvMI7XVKmgx6FXAau/A26mgoACgmN0m
5AQUo8l3qsP02y4rMNUtJRU=
=4dmz
-----END PGP SIGNATURE-----