Printable View
How often does your firewall/network/IDS pick up attacks? daily? weekly? monthly?
I am trying to see how often i should be looking at my firewall logs and in how much detail? do you guys report things on a regular basis? do you consider that to be a part of your job?
What sort of attacks do you see the most? what should i look for in the more common attacks?
They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.
Our firewall logs "attacks" daily, usually 2 or 3 a day, sometimes more. However, you have to keep in mind that oftentimes you have false positives, so you must be weary of those. For instance, when our AV server tries to contact the CA website for virus signatures, the firewall often mistakes the incoming connection from CA as an IP spoofing attack. So you have to keep your eyes open and carefully evaluate everything reported.
I know it logs real time but how often do you see REA: attacks on your network?Quote:
Originally posted here by kryptonic
They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.
Look for amongst other things a lot of "attacks" from the same IP address or a lot of activity during the early hours when the office is closed as most serious people who know what they are doing will chose this time to do what it is they want to do!
Depends on what you mean by attacks. Right now I am watching a gaming site port scan my firewall (started about 5 minutes ago). I'll let it go for the time being, as port scans I don't consider attacks. Now if the site doesn't cut it out, or starts making different attempts to connect (FTP, Telnet, SSH....etc), well then the gloves come off. ;)
Cheers:
3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)
What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?Quote:
Originally posted here by cacosapo
3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)
Legit.....for a port scan. :p No reason I can think of. Even if someone from inside was trying to play a game (I saw no traffic indicating this), that is no reason to fire up a port scan. Needless to say, they quit, so now I am just watching the usual flock of worms trying to find a hole. :rolleyes:Quote:
Originally posted here by Jason1977
What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?
Cheers:
Well, considering I (at least, the organization I work for) owns 22 full class C public address ranges, I get hit a lot.
It goes in cycles. Port scans are so commonplace I ignore them. Serious attempts at penetrations happen anywhere between once and twice a week to 3-6 times a day.
How did you learn how to interperate this info? i feel so far behind for the job i am in :(Quote:
Originally posted here by DjM
Legit.....for a port scan. :p No reason I can think of. Even if someone from inside was trying to play a game (I saw no traffic indicating this), that is no reason to fire up a port scan. Needless to say, they quit, so now I am just watching the usual flock of worms trying to find a hole. :rolleyes:
Cheers:
It's fairly easy to pick out, but I am on a checkpoint firewall not a PIX so I am not sure what your looking at. If you see consecutive attempts coming from the same source IP and hitting a large range of ports (sometimes consecutively), pretty good chance your looking at a port scan. They usually only last a few minutes and they are gone.Quote:
Originally posted here by Jason1977
How did you learn how to interperate this info? i feel so far behind for the job i am in :(
Cheers:
I see, on average, 50 security events per second. Then again, we have about 30 firewalls.
wow, some big Networks!
So do you guys go through the evenings logs every morning?
There is no way possible to sit there and look through 100s of GIGs of data. When you manage a large environment, you will need a SIM. I use NeuSecure by guarded.net. I agregate and correlate data to weed out crap and focus on what appear to be legitimate issues.
any freeware versions that work well?Quote:
Originally posted here by thehorse13
There is no way possible to sit there and look through 100s of GIGs of data. When you manage a large environment, you will need a SIM. I use NeuSecure by guarded.net. I agregate and correlate data to weed out crap and focus on what appear to be legitimate issues.
Well, I can't speak for thehorse13, but I have created only one report I review each morning (it's the report I mentioned in your pen test thread, using webtrends). All attempts that I consider critical, are flagged as such by various systems, IDS, Firewall & Webtrends and I am either e-mailed or paged if one of those alerts is triggered.Quote:
Originally posted here by Jason1977
wow, some big Networks!
So do you guys go through the evenings logs every morning?
Cheers:
I had webtrends about 2 years ago and I replaced it with my current solution. I haven't seen anything (open source) that I consider stable enough to perform the task that NeuSecure does, however, I can tell you which COTS packages to stay the F away from.
I can see managing 30 firewalls :eek: , Webtrends is likely not the solution for you horse. With me and my single Checkpoint NG Firewall, it's doing the job we need done right now. (next year, who knows :rolleyes: )Quote:
Originally posted here by thehorse13
I had webtrends about 2 years ago and I replaced it with my current solution. I haven't seen anything (open source) that I consider stable enough to perform the task that NeuSecure does, however, I can tell you which COTS packages to stay the F away from.
Cheers:
Geez, TH, don't tell me you have to monitor all 30 of those by yourself?!
Well if guys don't mind, I'd like to throw my own question into the pool since it's on-topic:
I've been getting quite a few IP Spoof attacks logged on my SOHO firewall several times a day this week. I don't have much to work with though. The destination address is 172.30.1.192, but a DNS lookup doesn't find anything on it. What's odd is that the log shows 172.30.0.50 as the source address, and it shows it as coming from within the LAN, which makes no sense because all of our LAN addresses are 192.168.*.*. Is there anything more I can do with nothing more than this info to find out what's really going on?
Well....you've probably got an infected box acting as a zombie and it's spoofing the source address.
How many machines do you have in the network?
Let's see...guestimate is we have 15-20 on the LAN. Running CA eTrust AV with automatic updates and realtime scanning as well (though I did catch some trojans slip through into our server lately...not a big fan of CA for that matter...).
Ahem....
A couple of people in this thread have stated that multiple connection attempts from a single IP address are a "warning"..... Sorry, I disagree..... They indicate a script kiddie who will fail if you are patched and have decent security practices in place.
The bright ones, (the ones you need to fear), know that hammering away at a target from the same IP address will get them noticed quicker than a cat at Crufts, (it's a _big_ dog show for the uninformed).
Divide your logs into types of events and look for ongoing patterns of attack not attacks from a single IP. Look for escalation of attack type. Silly example: FTP anon login followed by FTP administrator login, then FTP admin attempt, then maybe a buffer overflow. The events may not be contiguous in the log because some other moron, (or even legitimate users), may be on at the same time but the series is what is important not the IP address.
It's not easy, it takes time, and it's usually bloody boring..... But it's how you stop the serious threats.... The rest are dross if you keep up with the patches and threats and mitigate threats appropriately where no patches are available.
"Zero day" you all say...... Yep, you're screwed.... But if your IDS is good and up to date you may catch something else that happens post attack that makes you think.... "Hmmm... How did that happen?". At which point you are beginning to win the battle.....
Chasing IP addresses is a lot like peeing in your black pants..... It gives you a nice warm feeling but nobody notices..... ;)
Hmm...gotcha. So in my case, I don't have much going on, just repeated "IP Spoof" logs from the same address that pop in every few hours or so, no other activity besides that, which makes me wonder if it's a false positive, but I'm not one in the know enough to determine that for sure yet.
Which really, really makes me wish they'd let me have an actual IDS!