From: Albert Lu (albert_lu@optushome.com.au)
Date: Thu Oct 24 2002 - 11:31:34 GMT-3
Hi Sam,
When the third party mentioned that someone from your network is "hacking"
their server, what sort of attack did they detect and how did they find out?
Most possibly, they might have got an alert from their IDS, Firewall or
possibly their server log that might have indicated an attack, however this
might be a false positive on their part. So what have they done to ensure
that it was a legit attack from your network?
Syslog would generate quite alot of information, but how would you know that
the data it generates would be relevant to what you are after? If it's an
HTTP attack, then you might be looking for odd URL requests trying for root
access.
Just some thoughts, let me know how you go.
Regards,
Albert
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Sam Munzani
Sent: Thursday, October 24, 2002 5:43 AM
To: ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: PIX Question
Group,
I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We are
getting complains from some web sites that somebody from our network tried
to
hack their server. Since it's PAT, all they can give us was Date/Time when
our
IP tried to hack their server.
Sysloging Informational messages to a syslog server could give me enough
data
to trace this hacker in my internal network. However for 25000+ connections
it's a big overhead on PIX and syslog server.
Does anybody have a better idea to trace it? Any ideas would be greately
appreciated.
Thanks,
Sam
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:55 GMT-3