Re: Intrusion detection

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 3 Sep 2001 19:22:43 -0700

Inline...

Jim Harrison
MCP(2K), A+, Network+, PCG

  ----- Original Message ----- 
  From: Kirk Poser 
  To: [ISAserver.org Discussion List] 
  Sent: Monday, September 03, 2001 7:13 PM
  Subject: [isalist] Intrusion detection


  http://www.ISAserver.org



  Evening Group,
  My questions are: I am getting 4 to 6 alerts each day of someone doing some 
all port scans on my system.

  My thoughts that need everyone's expert opinion on are:

  1. Is there something I should be looking for to confirm ISA is doing its 
job? I do see packets being dropped, so I am assuming it is. I know this is 
probably a silly question, but how do I know? What else do I look for? ( Toms 
book is great by the way, but it doesnt address what to do in an attack 
situation)

  - ISA's log entries are the only indicator you have.  If ISA tells you that 
it dropped a packet, then it did.

  2. Are there any programs out there that will let me trace where these 
attacks are coming from? The IP addresses are 192.xxx.xxx.xxx (internals) Can I 
trace it back and send them a warning message? (Reverse hack?)

  - If the source IP addresses are really 192.168.x.x, 172.16.x.x - 172.31.x.x, 
or 10.x.x.x, then there's no way for you to "reverse-anything" them.  These 
addresses are truly bogus and your ISP router should be dumping them.

  3. If someone is doing a port scan, when ISA alerts me, what is the next 
usual recommended course of action? Are these scans harmless if ISA drops their 
packets?

  - If the source IP addresses are routable (not as listed above), then you can 
find out who owns the IP block and get them to help you track down the culprit. 
 I've used that method very often and the netblock owners are usually more than 
happy to help you.  Use http://www.arin.net/whois/index.html to help you sort 
this out.
  - generally, if ISA dumps the packet, it's a non-issue as far as damage 
control is concerned.

  Thanks for your assistance!

  Kapt Kirk
  MCP, MSS, CIWSS, A+

  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------------------------------
  Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com

Other related posts:

• » Intrusion detection
• » Re: Intrusion detection

1. Home
2. isalist
3. Archive
4. 09-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---