From: Farhan Ahmed (farhan@mdsuae.co.ae)
Date: Tue Nov 26 2002 - 02:02:15 GMT-3
On your DNS server setup a sniffer (sniff pro)
Creat a zone for that website domain and capture the dns traffic
It will tell u source and destination...
Not tested but may work....
fa
-----Original Message-----
From: George Matovu [mailto:gmatovu@resourcenetworks.com]
Sent: Friday, October 25, 2002 9:46 PM
To: 'Sam Munzani'; LoizosCisco; Brian Dennis; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: [cciesecurity] RE: PIX Question
I believe your best bet may be to use a sniffer on the private side of
your network. You need to monitor the inside interface of the PIX
firewall by using the SPAN feature on the switch. You may configure a
capture filter on the sniffer by host or network ip address to limit the
captured traffic to only that associated with the site of interest.
Capturing on the inside network as opposed to the outside ensures that
you will identify the hostname or the local IP address
of the offender. With an IP address you have the option of referring to
the DHCP server, if need be, to find out who had the lease...
Thanks,
George
-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Friday, October 25, 2002 10:45 AM
To: LoizosCisco; Brian Dennis; ccielab@groupstudy.com
Cc: cciesecurity@yahoogroups.com
Subject: Re: PIX Question
Sounds good but the volume will be a killer. Imagine supprting 20000+
users and logging all denied traffic.
I got packet sniffing ideas from somebody but that would be way too much
traffic to capture. PIX outside interface is serving 70Mbps traffic
right now. I don't think Sniffer can scale well in this environment
either.
I think we will end up relying on Web Sense for all denied HTTP URLs and
PIX syslog for all Denied traffic.
Thanks,
Sam
> Sam,
>
> What about using a "DENY any any log" at the end?
> Then check the log to see who is denied? BUT do not
> deny everybody...you still allow those already set to
> be allowed.
>
> Loizos
>
> --- Sam Munzani <sam@zealtron.com> wrote:
> > Brian,
> >
> > Your first suggestion can be an option for ongoing investigation but
> > not the second. Whever is using our network to hack somebody else,
> > will not come forward and say, I can't access that web site.
> >
> > I am getting different ideas from everybody. After compiling all
> > different ideas, we may come up with some kind of solution(May not
> > be the best one but better than nothing).
> >
> > Thanks,
> > Sam
> >
> > > If you have a router behind the PIX you can put an
> > access-list in that
> > > will log when someone goes to that particular
> > website.
> > >
> > > access-list 100 permit tcp any host 198.133.219.25
> > eq 80 log
> > > access-list 100 permit ip any any
> > >
> > > int fa0/0
> > > description Interface to PIX
> > > ip access-group 100 out
> > >
> > > Another option would be to just don't allow anyone
> > to get to that
> > > website and see who complains. Let them come to
> > you ;-)
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Sam Munzani
> > > Sent: Wednesday, October 23, 2002 12:43 PM
> > > To: ccielab@groupstudy.com
> > > Cc: cciesecurity@yahoogroups.com
> > > Subject: PIX Question
> > >
> > > Group,
> > >
> > > I have PIX setup with PAT. Hiding 15000+ stations
> > behind a few IP. We
> > > are
> > > getting complains from some web sites that
> > somebody from our network
> > > tried to
> > > hack their server. Since it's PAT, all they can
> > give us was Date/Time
> > > when our
> > > IP tried to hack their server.
> > >
> > > Sysloging Informational messages to a syslog
> > server could give me enough
> > > data
> > > to trace this hacker in my internal network.
> > However for 25000+
> > > connections
> > > it's a big overhead on PIX and syslog server.
> > >
> > > Does anybody have a better idea to trace it? Any
> > ideas would be greately
> > > appreciated.
> > >
> > > Thanks,
> > > Sam
>
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
To unsubscribe from this group, send an email to:
cciesecurity-unsubscribe@yahoogroups.com
Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
[GroupStudy.com removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:10 GMT-3