Printable View
What should I be searching for?
I have a pix firewall and am using Kiwi sys logger and Kiwi viewer to read my firewall logs. I am looking for the guys that are doing pen testing on my firewall. what type of verbage should i search for?
%PIX-3-106011: Deny inbound (No xlate) tcp src outside:64.233.161.99/80 dst outside:208.243.37.132/1592
or maybe?
Deny tcp src outside:65.114.202.18/80 dst inside:208.243.37.132/2616 by access-group "inbound"
please help?
anyone?
What do you want to find.... The question is sort of vague..... If you want to watch what they do ask them for the IP address(s) they will be carrying out the pen test from. If you want more then you'll need to be a little more precise.
I'm still learning this as well, so don't take my advice as the final authority on the matter, but...
Yes, words like "inbound connection" and connections from the "outside" are what you're looking for. Keep all that on record and look for repeating connections, especially connections that seem to follow a patter (always attempted at 1:00a.m., etc.). That'll help you on your way to tracking down your "intruder".
By the way, use the "Bump Up" button when you're not getting any replies, as opposed to adding another post. You can use it once every five hours. I've gotten very acquainted with it. :D
//edit -- Oh, well, Tiger beat me to it. Listen to that guy. ;)
If its anything like my links, you will see hundreds or thousands of DENY entries per hour.
If you don't have any reporting tools and dont have programming skill with PERL or similar to create a report, you can import kiwi file(s) into a spreadsheet and play with the different sorting options which may help you determine worm activity from portscans or other.
My boss wants me to come to him and say i see such and such activity that looks suspicious. and he will tell me if its their IP or not. He wants me to catch them after the fact. but i dont know how ill do that with the tens of thousands of lines to go through.
Again, look for patterns. "Such-and-such IP always tries to connect at x:xx a.m. in the morning." or "This address attempts connections every X hours", etc.
Ahhhh.... I see..... Said the blind man......
How long do they have to do the pen test... Couple of days or a couple of weeks? What are they authorized to do. An audit or a full pen test. Are they allowed to simply identify vunlerabilities or can they exploit them?
they have the whole month and they are allowed to do a full pen testand attempt to exploitQuote:
Originally posted here by Tiger Shark
Ahhhh.... I see..... Said the blind man......
How long do they have to do the pen test... Couple of days or a couple of weeks? What are they authorized to do. An audit or a full pen test. Are they allowed to simply identify vunlerabilities or can they exploit them?
If you are just using firewall logs, I doubt you will easily hammer it down to specifics.
To an untrained eye, there may be just too much traffic. Add to that a MONTHS worth of
traffic. What services do you open to the world? MAIL? WWW? FTP? If any, are they in a DMZ?
What patch level and version is your PIX?
Any IDS features turned on on the PIX? Have you used any of the monitoring in the http GUI?
I'm really not understanding the value of telling you they are going to hit you..??
Seems ripe for a trap and then game over. Why would he tell you?