Re: BARE BYTE UNICODE ENCODING

[Adam Baldwin <baldwnad () yahoo com>]

Comments inline..
--- Annie Green <annie_r_green () hotmail com> wrote:
> How should I analyse further to find out the type of
> attack that my company 
> got? 
You have to look at it in the context of your network
and your environment. If you just pick up that one
packet and say hi little packet, what are you doing,
it most likely isn't going to reveal the larger
picture (although that is not always the case) and in
some cases all that is needed for an attack is a
single packet.
 
Look at what sensor picked up the traffic and alerted
on it. The location in the network where this packet
was alerted on, the destination of the traffic, what
type of servers/services you run, are all good
questions you can ask yourself. The main suggestion I
would give would be to decide if that attack/alert
poses a risk to your company’s security. After you
understand the implications of that alert/attack/rogue
packet :-) in your environment, you can make that
decision. If it is your company’s policy to analyze
all alerts, I hope they have deep pockets and lots of
time.  

> Or if this is not an attack, how to find our
> which character in the 
> packet that actually trigger the alert?
Depending on the IDS that your company has deployed
compare the packet to the signature that particular
IDS software provides. Did you deploy any new software
lately that might be doing a funky dance over the
network? Did you recently put up an unprotected IIS
web server? Good questions to think about.

Adam Baldwin
baldwnad () yahoo com


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 

---------------------------------------------------------------------------

---------------------------------------------------------------------------