Security Incidents mailing list archives
Re: Vulnerability Scan 200.127.113.193, 69.93.128.17
From: Kirby Angell <kangell () alertra com>
Date: Thu, 04 Nov 2004 21:30:43 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for all the replies and the good information and suggestions. I'm replying to everyone with one message, because every msg I submit to this list generates about 50 out of office replies :-). It is likely that the IP located at The Planet is a compromised box itself. The IP in Argentina (not Brazil :-) is probably compromised but I'm not entirely convinced based on some recon I did on it. Either way, a compromised box is just as dangerous so we've banned both the IPs from all of our networks. MyNetWatchman sounds a lot like dShield (www.dshield.org). We'll look into it, but I have concernes about sending my firewall logs in. We were just about ready to do that with dShield when one day on a lark I typed in one of our corporate IPs into the "Are you cracked?" box. It came up with this big red banner saying the IP was an attacker in its database. Looking at the lone entry they had for it, it was obvious that Snort had flagged as a NOOP sled a TLS encrypted SMTP session. There was only the one record and they had the IP labeled as an attacker. The funny thing was that their description of what to do never mentions the fact that it might be a false positive. They also do not, at least on that page, mention any way to get false positives removed. Anyway, I can't have one of my customers being listed as attackers in some system like dShield just because an automated system thinks a single packet might be naughty. That's my dShield rant. It sounds like MyNetWatchman is a little more discerning than dShield though. I will look into Snort and how I can use it to build my "watch-list". So far I'm leaning towards using the firewall connection log I already get to match against a database of suspect IPs. I could probably build that sort of thing with a light bit of scripting. TJ, Snort-inline can update firewall rules in realtime. The Honeynet project uses it on their gateways. Not sure I'd feel comfortable with an automated system banning IPs. On the other hand, the scan I mentioned would not have gotten very far at all if we did use something like that. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBivPj21unUZAE9MARAqHQAJ99aTvMI7XVKmgx6FXAau/A26mgoACgmN0m 5AQUo8l3qsP02y4rMNUtJRU= =4dmz -----END PGP SIGNATURE-----
Current thread:
- Vulnerability Scan 200.127.113.193, 69.93.128.17 Kirby Angell (Nov 04)
- Re: Vulnerability Scan 200.127.113.193, 69.93.128.17 Ronaldo Vasconcellos (Nov 04)
- Re: Vulnerability Scan 200.127.113.193, 69.93.128.17 Kirby Angell (Nov 05)
- Re: Vulnerability Scan 200.127.113.193, 69.93.128.17 Paul Scallan (Nov 04)
- Re: Vulnerability Scan 200.127.113.193, 69.93.128.17 Ronaldo Vasconcellos (Nov 04)