Printable View
How did you learn how to interperate this info? i feel so far behind for the job i am in :(Quote:
Originally posted here by DjM
Legit.....for a port scan. :p No reason I can think of. Even if someone from inside was trying to play a game (I saw no traffic indicating this), that is no reason to fire up a port scan. Needless to say, they quit, so now I am just watching the usual flock of worms trying to find a hole. :rolleyes:
Cheers:
It's fairly easy to pick out, but I am on a checkpoint firewall not a PIX so I am not sure what your looking at. If you see consecutive attempts coming from the same source IP and hitting a large range of ports (sometimes consecutively), pretty good chance your looking at a port scan. They usually only last a few minutes and they are gone.Quote:
Originally posted here by Jason1977
How did you learn how to interperate this info? i feel so far behind for the job i am in :(
Cheers:
I see, on average, 50 security events per second. Then again, we have about 30 firewalls.
wow, some big Networks!
So do you guys go through the evenings logs every morning?
There is no way possible to sit there and look through 100s of GIGs of data. When you manage a large environment, you will need a SIM. I use NeuSecure by guarded.net. I agregate and correlate data to weed out crap and focus on what appear to be legitimate issues.
any freeware versions that work well?Quote:
Originally posted here by thehorse13
There is no way possible to sit there and look through 100s of GIGs of data. When you manage a large environment, you will need a SIM. I use NeuSecure by guarded.net. I agregate and correlate data to weed out crap and focus on what appear to be legitimate issues.
Well, I can't speak for thehorse13, but I have created only one report I review each morning (it's the report I mentioned in your pen test thread, using webtrends). All attempts that I consider critical, are flagged as such by various systems, IDS, Firewall & Webtrends and I am either e-mailed or paged if one of those alerts is triggered.Quote:
Originally posted here by Jason1977
wow, some big Networks!
So do you guys go through the evenings logs every morning?
Cheers:
I had webtrends about 2 years ago and I replaced it with my current solution. I haven't seen anything (open source) that I consider stable enough to perform the task that NeuSecure does, however, I can tell you which COTS packages to stay the F away from.
I can see managing 30 firewalls :eek: , Webtrends is likely not the solution for you horse. With me and my single Checkpoint NG Firewall, it's doing the job we need done right now. (next year, who knows :rolleyes: )Quote:
Originally posted here by thehorse13
I had webtrends about 2 years ago and I replaced it with my current solution. I haven't seen anything (open source) that I consider stable enough to perform the task that NeuSecure does, however, I can tell you which COTS packages to stay the F away from.
Cheers:
Geez, TH, don't tell me you have to monitor all 30 of those by yourself?!
Well if guys don't mind, I'd like to throw my own question into the pool since it's on-topic:
I've been getting quite a few IP Spoof attacks logged on my SOHO firewall several times a day this week. I don't have much to work with though. The destination address is 172.30.1.192, but a DNS lookup doesn't find anything on it. What's odd is that the log shows 172.30.0.50 as the source address, and it shows it as coming from within the LAN, which makes no sense because all of our LAN addresses are 192.168.*.*. Is there anything more I can do with nothing more than this info to find out what's really going on?