Attacks!

**Jason1977** · August 4th, 2004, 07:08 PM

How often does your firewall/network/IDS pick up attacks? daily? weekly? monthly?
I am trying to see how often i should be looking at my firewall logs and in how much detail? do you guys report things on a regular basis? do you consider that to be a part of your job?
What sort of attacks do you see the most? what should i look for in the more common attacks?

***kryptonic*** · August 4th, 2004, 07:14 PM

They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.

***AngelicKnight*** · August 4th, 2004, 07:18 PM

Our firewall logs "attacks" daily, usually 2 or 3 a day, sometimes more. However, you have to keep in mind that oftentimes you have false positives, so you must be weary of those. For instance, when our AV server tries to contact the CA website for virus signatures, the firewall often mistakes the incoming connection from CA as an IP spoofing attack. So you have to keep your eyes open and carefully evaluate everything reported.

**Jason1977** · August 4th, 2004, 07:22 PM

Originally posted here by kryptonic
They pick up attacks minutely well just about. As soon as the attck happens its reported in the logs.

I know it logs real time but how often do you see REA: attacks on your network?

***Nokia*** · August 4th, 2004, 07:26 PM

Look for amongst other things a lot of "attacks" from the same IP address or a lot of activity during the early hours when the office is closed as most serious people who know what they are doing will chose this time to do what it is they want to do!

***DjM*** · August 4th, 2004, 07:28 PM

Depends on what you mean by attacks. Right now I am watching a gaming site port scan my firewall (started about 5 minutes ago). I'll let it go for the time being, as port scans I don't consider attacks. Now if the site doesn't cut it out, or starts making different attempts to connect (FTP, Telnet, SSH....etc), well then the gloves come off.

Cheers:

***cacosapo*** · August 4th, 2004, 08:02 PM

3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)

**Jason1977** · August 4th, 2004, 08:21 PM

Originally posted here by cacosapo
3-4 during daylight, and increase a lot after midnight. I have some clients on financial business (such as banks) and there is a lot of activity after midnight. I think that hackers try during those hours thinking that operators are sleeping (and usually they are)

What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?

***DjM*** · August 4th, 2004, 08:36 PM

Originally posted here by Jason1977
What would be a lgit explaination for that game site be hitting yoru firewall? someone on the inside trying to play games?

Legit.....for a port scan.

No reason I can think of. Even if someone from inside was trying to play a game (I saw no traffic indicating this), that is no reason to fire up a port scan. Needless to say, they quit, so now I am just watching the usual flock of worms trying to find a hole.

Cheers:

**thread_killer** · August 4th, 2004, 08:43 PM

Well, considering I (at least, the organization I work for) owns 22 full class C public address ranges, I get hit a lot.

It goes in cycles. Port scans are so commonplace I ignore them. Serious attempts at penetrations happen anywhere between once and twice a week to 3-6 times a day.

Thread: Attacks!

Thread Tools

Display

Attacks!

Posting Permissions