RE: where should I start? help!

From: George Peek (GKPeek_at_AllstateTicketing.com)
Date: 09/04/03

  • Next message: Stefan Marx: "Re: Best Practices on Web based email ?" 
    To: 'Jane Han' <janehan22@yahoo.com>, Ben Hicks <ben@sequenced.net>, security-basics@securityfocus.com, Gregory_DeGennaro@csaa.com
Date: Thu, 4 Sep 2003 11:20:28 -0700

    Use Kiwi Syslog Deamon

    -----Original Message-----
    From: Jane Han [mailto:janehan22@yahoo.com]
    Sent: Thursday, July 24, 2003 7:08 AM
    To: Ben Hicks; security-basics@securityfocus.com;
    Gregory_DeGennaro@csaa.com
    Cc: security-basics@securityfocus.com
    Subject: RE: where should I start? help!

    Thanks for all help. If I want to find all traffic on
    the PIX internal interface, what should I do? using
    sniffer? How do I position the sniffer? How can I
    span port on the PIX or I have to do spanning on the
    switch?

    Any suggestions or help will be highly appreciated.

    switch ---PIX---external router

    The exernal router serial interface status as follows:
    Serial0/0 is up, line protocol is up
      Hardware is DSCC4 Serial
      Internet address is a.b.c.d/30
      MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
         reliability 255/255, txload 24/255, rxload
    235/255
      Encapsulation HDLC, loopback not set
      Keepalive set (10 sec)
      Last input 00:00:05, output 00:00:01, output hang
    never
      Last clearing of "show interface" counters 1d23h
      Input queue: 0/75/0/0 (size/max/drops/flushes);
    Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/100 (size/max)
      30 second input rate 1424000 bits/sec, 230
    packets/sec
      30 second output rate 147000 bits/sec, 161
    packets/sec
         16859032 packets input, 2850828712 bytes, 0 no
    buffer
         Received 17055 broadcasts, 0 runts, 0 giants, 0
    throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0
    ignored, 0 abort
         13720059 packets output, 3084799197 bytes, 0
    underruns
         0 output errors, 0 collisions, 0 interface resets
         0 output buffer failures, 0 output buffers
    swapped out
         0 carrier transitions
         DCD=up DSR=up DTR=up RTS=up CTS=up

    Thanks in advance,

    Jane
    --- Ben Hicks <ben@sequenced.net> wrote:
    > Hmm, So the firewall is performing the nat then.
    >
    > Just out of interest, what is the firewall doing?
    > does it have any access
    > lists on it ?
    >
    > Thanks,
    >
    > Ben
    >
    >
    >
    > -----Original Message-----
    > From: Jane Han [mailto:janehan22@yahoo.com]
    > Sent: 15 July 2003 16:20
    > To: Ben Hicks; security-basics@securityfocus.com
    > Subject: RE: where should I start? help!
    >
    >
    > Ben,
    >
    > I appreciate your answer. I enabled the IP
    > accounting
    > and the IP accounting only shows the destination
    > address as public address (NAT). Is there a way
    > that
    > I can trace this public IP address (NAT) to
    > the internal private IP address?
    >
    > Thanks,
    >
    > Jane
    >
    > --- Ben Hicks <ben@sequenced.net> wrote:
    > > The interface is very heavily utilised on the
    > > receiving of information - i.e
    > > persons downloading.
    > >
    > > Your interface (at the time of the snap***) was
    > > very heavily utilised.
    > > 188/255 RX suggest that your link is about 75%
    > > utilised, which is very high.
    > >
    > > There are of course many other things that could
    > be
    > > attirbuting to the
    > > problem, but I would start here.
    > >
    > > You could perhaps enable ip accounting to find out
    > > which IP addresses are
    > > accessing the most amount of information.
    > >
    > > HTH
    > >
    > > Ben.
    > >
    > > -----Original Message-----
    > > From: Jane Han [mailto:janehan22@yahoo.com]
    > > Sent: 08 July 2003 15:41
    > > To: security-basics@securityfocus.com
    > > Subject: where should I start? help!
    > >
    > >
    > > Hi, all
    > >
    > > I am relatively new to this field. We have full
    > T1
    > > but the internet speed is very slow.
    > > Sometimes it's even slower than dial-up speed when
    > > downloading files.
    > > E1 E0 E0 s0
    > > Switch --- PIX ------Cisco 2600
    > > Router------Internet
    > >
    > > (E1 and E0 are Ethernet Interface and S0 is serial
    > > interface) (please see the following status on s0)
    > >
    > > Serial0/0 is up, line protocol is up
    > > Hardware is QUICC Serial
    > > Internet address is X.X.X.X/30
    > > MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec,
    > > reliability 255/255, txload 26/255, rxload
    > > 188/255
    > > Encapsulation HDLC, loopback not set
    > > Keepalive set (10 sec)
    > > Last input 00:00:02, output 00:00:00, output
    > hang
    > > never
    > > Last clearing of "show interface" counters never
    > > Input queue: 0/75/9199/0
    > (size/max/drops/flushes);
    > > Total output drops: 3307
    > > Queueing strategy: weighted fair
    > > Output queue: 0/1000/64/3307 (size/max
    > > total/threshold/drops)
    > > Conversations 0/57/256 (active/max
    > active/max
    > > total)
    > > Reserved Conversations 0/0 (allocated/max
    > > allocated)
    > > 30 second input rate 1510000 bits/sec, 235
    > > packets/sec
    > > 30 second output rate 214000 bits/sec, 173
    > > packets/sec
    > > 76598509 packets input, 1523011153 bytes, 0
    > no
    > > buffer
    > > Received 104544 broadcasts, 0 runts, 0
    > giants,
    > > 0
    > > throttles
    > > 1 input errors, 0 CRC, 1 frame, 0 overrun, 0
    > > ignored, 0 abort
    > > 66685034 packets output, 4044743843 bytes, 0
    > > underruns
    > > 0 output errors, 0 collisions, 1 interface
    > > resets
    > > 0 output buffer failures, 0 output buffers
    > > swapped out
    > > 0 carrier transitions
    > > DCD=up DSR=up DTR=up RTS=up CTS=up
    > >
    > > I checked the S0 interface status on the internet
    > > router. What info does the above indicate?
    > > What does input and output packets mean in case
    > > internal users download files from internet?
    > >
    > > I really do not know how to find out where all
    > > traffic
    > > are from? I bet there are lots of downloads
    > > from internet. Where should I start?
    > >
    > > BTW, we have one block class C public address.
    > But
    > > the PIX only use 30 for NAT and one
    > > global pool address:
    > > global (outside) 1 x.x1.x2.201-x.x1.x2.230
    > > global (outside) 1 x.x1.x2.200
    > >
    > > Could this cause the slowness on internet speed
    > > also?
    > >
    > > Thanks in advance,
    > >
    > > Jane
    > >
    > > __________________________________
    > > Do you Yahoo!?
    > > SBC Yahoo! DSL - Now only $29.95 per month!
    > > http://sbc.yahoo.com
    > >
    > >
    >
    ---------------------------------------------------------------------------
    > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as
    > > leader by top analysts!
    > > The Gartner Group just put Neoteris in the top of
    > > its Magic Quadrant,
    > > while InStat has confirmed Neoteris as the leader
    > in
    > > marketshare.
    > >
    > > Find out why, and see how you can get plug-n-play
    > > secure remote access in
    > > about an hour, with no client, server changes, or
    > > ongoing maintenance.
    > >
    > > Visit us at:
    > > http://www.neoteris.com/promos/sf-6-9.htm
    > >
    >
    ----------------------------------------------------------------------------
    > >
    > >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > SBC Yahoo! DSL - Now only $29.95 per month!
    > http://sbc.yahoo.com
    >
    >
    ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as
    > leader by top analysts!
    > The Gartner Group just put Neoteris in the top of
    > its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in
    > marketshare.
    >
    > Find out why, and see how you can get plug-n-play
    > secure remote access in
    > about an hour, with no client, server changes, or
    > ongoing maintenance.
    >
    > Visit us at:
    > http://www.neoteris.com/promos/sf-6-9.htm
    >
    ----------------------------------------------------------------------------
    >
    >

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Stefan Marx: "Re: Best Practices on Web based email ?"