How to monitor attacks against my IP?

How to monitor attacks against my IP?: Posted by zeebop on July 24th, 2003; Hi,

I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)

It has a built in firewall which seems to do a good job.

I was wondering how I would go about monitoring any malicious probes
against my IP. Is there some free software to do this?

Cheers

zeebop; Posted by Lek on July 24th, 2003; the router will probably make logs.. you just need to find out how to get to
them

"zeebop" <yeah@um.right> wrote in message
news:l9h0ivo3gtps9rru7g9p7svfk4mtr59l1a@4ax.com...; Posted by Maximilian K. on July 25th, 2003; Then there're "intrusion detection" systems.
We run one at work. In fact, UNIX group does.
What a load of bollocks. It always indicates we're under attack.

(When you cry wolf too often no one is to help when wolf is there...)
--
_______________________
Maximillian!

"Lek" <nospam@nospam.com> wrote in message
newsXXTa.346$2o3.3485@newsfep4-glfd.server.ntli.net...; Posted by Lek on July 25th, 2003; In English?

"Maximilian K." <RemoveThisToWriteMe_east.expert@virgin.net> wrote in
message news:5S1Ua.4$sv5.6273@newsfep1-win.server.ntli.net...; Posted by Peter Morgan - 0870 432 9631 on July 25th, 2003; On Fri, 25 Jul 2003 09:22:09 +0100, "Lek" <nospam@nospam.com> wrote:

or upside down ?

(That there's probably no point worrying about the "attacks" as the
reporting of same can get you paranoid, and if there are reports at
1 minute intervals, you'd not spot a true attack anyway! BICBW.); Posted by Maximilian K. on July 26th, 2003; "Peter Morgan - 0870 432 9631" <no.mail@lastname.org.uk> wrote in message
news:52n2ivo2k16vj40uln5ce6odqmcq2ipcd8@news.clara .net...
My point is: a decent intrusion detection system shouldn't cry murder all
the time.

Because, if it does so, the real attack can be easily missed - because huge
number of false alarms will make those attack reports not worth attention.

The IDS we have at work, always says we're under attack. Hence the verdict:
"loads of b--x".
Don't blame me, UNIX guys run it. :-)

_______________________
Maximillian!; Posted by Lek on July 26th, 2003; Well actually I think you are incorrect. Due to the nature of the internet
(networking) and attacks .... normal internet background noise and attacks
can look very similar. Therefore intrusion detection has to be easily tuned
to get the right balance.

"The IDS we have at work, always says we're under attack. Hence the verdict:
In this case your intrusion detection needs "tuning", if it can't be tuned
THEN it is a load of bollox... if it can be tuned and isnt ... then it is
the fault of the administrator in charge of that particular piece of
equipment.

"Maximilian K." <RemoveThisToWriteMe_east.expert@virgin.net> wrote in
message news:h1jUa.1146$sv5.499701@newsfep1-win.server.ntli.net...; Posted by Keith Roberts on July 26th, 2003; I have a firewall box at home that gives me reports of what traffic has been
trying to get to my network - I get loads of info all the time that the
Internet link is active.

The box is using Snort that logs details of what ports were scanned etc
etc - sometime these are a reslt of visiting certain web pages that try to
assess your system. There are also a lot of scans of my system to attack my
web/SQL servers etc that I am not running - these are mostly automated
attacks. It is not bollocks it just idicates that there are a lot of
compromised systems on the Internet that are being used to find and attack
systems that dont have upto date security patches appplied.

If you attach a system to the Internet you will get attacked randomly just
to see if you are running anything that can be hacked easily.

Yesterday I had two scans for "MS-SQL Worm propagation attempt" lots of
attempts to attach to MS filesharing system quite a few attempts at web
server and assorted other attacks - I was only on for a few hours yesterday.

I am runing www.ipcop.org on seperate machine

Maximilian K. wrote:; Posted by Martin Cooper on July 26th, 2003; "Keith Roberts" <melfort0@nospam.btinternet.com> wrote:

I totally agree. The problem with an IDS is when people do not use it
correctly. Looking at every exploit rarely shows anything. I also use
snort, and have two sensors working, one on my external unfiltered
interface, the second on the inside of my firewall. I then have snort
insert all attack data into a mysql database on a different machine. This
machine runs an apache web server, and ACID (Analysis Console for Intrusion
Detaction).

In combination, this allows me to see that my firewall is indeed blocking
the attacks I expect it to block by comfirming that data picked up on the
external sensor never gets to the internal sensor. In addition, ACID allows
me to search for attacks from a unique IP address. In the case that a large
number of exploits are attempted in a fairly short space of time, I can then
conclude that those attacks are an attempt to hack my network. Only then
would I bother to contact the users ISP and report the attack. Such attacks
have been fairly rare, but I have had to file about 5 abuse reports in the
last 6 months. However, this is getting a bit OT for this group.

--

Martin

Similar Posts

Re: What can one do against Keylogger Attacks? (Computer Security) by paul@atom.sbrk.co.uk
Re: What can one do against Keylogger Attacks? (Computer Security) by Tim Smith
Re: What can one do against Keylogger Attacks? (Computer Security) by CryptWolf
The 'lsass' attacks (Computers & Technology) by Bad Disciple
Re: is my pc being used to launch DoS attacks ? (Computer Security) by tarquinlinbin