From: Gilles Piche (gilles.piche@conoscenti.ca)
Date: Thu Oct 24 2002 - 16:32:22 GMT-3
Are you deal with a past or ongoing attack.
If you think the attacker might still attempt to hack this particular site,
then a simple capture on the pix firewall will do the trick.
However if you think that this might be an ongoing issue to different
destinations, a simple shadow sensor might provide you the forensic
information you need.
If you have money, an CSIDS sensor would be even better.
On the other hand, if you need to analyse the existing logs then you could
try and run them through a simple filter, (ie grep) to see the connection
xlation tables being build.
Cheers,
Gilles
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Thursday, October 24, 2002 1:26 PM
To: Albert Lu; 'Brian Dennis'; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: [cciesecurity] Re: PIX Question
I would catch all only if process switching is turned on. Otherwise it
will log it only the first packet.
Sam
> Brian,
>
> Correct me if I'm wrong, but from my experience access-list logging
doesn't
> always catch all matches. Do you remember what restrictions it has?
>
> Regards,
>
> Albert
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian Dennis
> Sent: Friday, October 25, 2002 1:17 AM
> To: 'Sam Munzani'; ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: RE: PIX Question
>
>
> If you have a router behind the PIX you can put an access-list in that
> will log when someone goes to that particular website.
>
> access-list 100 permit tcp any host 198.133.219.25 eq 80 log
> access-list 100 permit ip any any
>
> int fa0/0
> description Interface to PIX
> ip access-group 100 out
>
> Another option would be to just don't allow anyone to get to that
> website and see who complains. Let them come to you ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sam Munzani
> Sent: Wednesday, October 23, 2002 12:43 PM
> To: ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: PIX Question
>
> Group,
>
> I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
> are
> getting complains from some web sites that somebody from our network
> tried to
> hack their server. Since it's PAT, all they can give us was Date/Time
> when our
> IP tried to hack their server.
>
> Sysloging Informational messages to a syslog server could give me enough
> data
> to trace this hacker in my internal network. However for 25000+
> connections
> it's a big overhead on PIX and syslog server.
>
> Does anybody have a better idea to trace it? Any ideas would be greately
> appreciated.
>
> Thanks,
> Sam
>
Yahoo! Groups Sponsor
ADVERTISEMENT
To unsubscribe from this group, send an email to:
cciesecurity-unsubscribe@yahoogroups.com
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3