From: Scott Morris (swm@emanon.com)
Date: Thu Oct 24 2002 - 13:50:35 GMT-3
Monitor the port going IN to the PIX (or span depending on switch).
Then set up a sniffer and search by destination address.
Simple, effective, and no additional overhead for your PIX or routers.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sam Munzani
Sent: Wednesday, October 23, 2002 3:43 PM
To: ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: PIX Question
Group,
I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
are getting complains from some web sites that somebody from our network
tried to hack their server. Since it's PAT, all they can give us was
Date/Time when our IP tried to hack their server.
Sysloging Informational messages to a syslog server could give me enough
data to trace this hacker in my internal network. However for 25000+
connections it's a big overhead on PIX and syslog server.
Does anybody have a better idea to trace it? Any ideas would be greately
appreciated.
Thanks,
Sam
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3