Printable View
How often does your firewall/network/IDS pick up attacks? daily? weekly? monthly?
I am trying to see how often i should be looking at my firewall logs and in how much detail? do you guys report things on a regular basis? do you consider that to be a part of your job?
What sort of attacks do you see the most? what should i look for in the more common attacks?
They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.
Our firewall logs "attacks" daily, usually 2 or 3 a day, sometimes more. However, you have to keep in mind that oftentimes you have false positives, so you must be weary of those. For instance, when our AV server tries to contact the CA website for virus signatures, the firewall often mistakes the incoming connection from CA as an IP spoofing attack. So you have to keep your eyes open and carefully evaluate everything reported.
I know it logs real time but how often do you see REA: attacks on your network?Quote:
Originally posted here by kryptonic
They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.
Look for amongst other things a lot of "attacks" from the same IP address or a lot of activity during the early hours when the office is closed as most serious people who know what they are doing will chose this time to do what it is they want to do!
Depends on what you mean by attacks. Right now I am watching a gaming site port scan my firewall (started about 5 minutes ago). I'll let it go for the time being, as port scans I don't consider attacks. Now if the site doesn't cut it out, or starts making different attempts to connect (FTP, Telnet, SSH....etc), well then the gloves come off. ;)
Cheers:
3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)
What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?Quote:
Originally posted here by cacosapo
3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)
Legit.....for a port scan. :p No reason I can think of. Even if someone from inside was trying to play a game (I saw no traffic indicating this), that is no reason to fire up a port scan. Needless to say, they quit, so now I am just watching the usual flock of worms trying to find a hole. :rolleyes:Quote:
Originally posted here by Jason1977
What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?
Cheers:
Well, considering I (at least, the organization I work for) owns 22 full class C public address ranges, I get hit a lot.
It goes in cycles. Port scans are so commonplace I ignore them. Serious attempts at penetrations happen anywhere between once and twice a week to 3-6 times a day.