Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: potential network attacks

From: Tin Ngo <Tin.Ngo () cmc cwo net au>
Date: Sat, 15 Dec 2001 06:55:17 +1100
Try Webtrends Log Analyzer http://www.webtrends.com/ or RNR Software
http://www.rnrsoft.com/index.htm
Web trend does have more reporting feature and is also more expensive than
RNR.


-----Original Message-----
From: Daniel Handley [mailto:daniel () homepage net] 
Sent: Friday, 14 December 2001 7:47 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] potential network attacks


Thanks for the quick response from you all i will have a go with ethereal
today. the reason i have not been using the pix syslog server is the because
i didn't rtfm. i have now set it up using udp and it is logging to
ipswitch's whatsup gold. this is giving me the valuable information i needed
to view incoming and outgoing traffic. as a test i have logging set for
notification giving a huge amount of data, i will reduce this today but does
anyone know of a utility that give a nice report of the output. once again
thanks in advance dan

-----Original Message-----
From: Tony Howlett [mailto:thowlett () netsecuritysvcs com]
Sent: 14 December 2001 04:37
To: daniel () homepage net
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] potential network attacks


both snort and ethereal are excellent although snorts kinda a bear to set up
in a windows enviroment.

If you want something quick and dirty, you might also try windump.  it will
accomplish the same as snort without the IDS component.  the outputs a
little harder to read but if all you want to do is watch the packets fly by,
it will do the job just fine.

Good luck!

At 08:41 AM 12/13/2001 +0000, you wrote:

i wish to check if my network is coming under attack.
in the last few days we have noticed that the incoming network traffic 
is usually high. our web servers are in a dmz located behind a cisco 
pix 515 6.1(1). the servers are nt4 iis with no outstanding items in 
their log files, or additional files that have been ftp'd etc on to 
them. they are all patched up to the hilt and virus scanned regularly.
using the pdm console on the pix reveals peaks in udp traffic at the time

of

increased network traffic. this leads me to believe that we have been 
under attack from some one attempting to use the recently exposed 
vulnerability

in

w2k via IKE.
to check my theory (and prove to the boss that i am doing my job) i 
need a packet sniffer to view the traffic entering the network. 
unfortunately i have no budget (or maybe a very small one) and must use 
the dos/windows/nt environment. i have been following the discussions 
recently about snort, ethereal, etc but am under pressure to have a 
result yesterday and so don't have time for any evaluation.
can you please suggest a solution

thanks in advance

dan

in addition does anyone know of a way to get logs (and decipher them) 
from the pix without using the nt syslog server that kills tcp 
connections when disconnected (not any good for web hosting). i intend 
to use snmp in the future but as usual haven't had the time to 
implement it yet. thanks again.



Daniel Handley
Infrastructure Manager, HomePage Ltd mailto:daniel () homepage net 
http://www.homepage.net




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com 
http://list.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: