Re: source application for intrusion alerts
From: Duane Arnold (notme_at_notme.com)
Date: 01/02/04
- Next message: Michael Russell: "Firewall appliance that can do routing?"
- Previous message: mhicaoidh: "Re: Annoying ZoneAlarm Tray Icon"
- In reply to: zvika: "Re: source application for intrusion alerts"
- Next in thread: zvika: "Re: source application for intrusion alerts"
- Reply: zvika: "Re: source application for intrusion alerts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 02 Jan 2004 02:15:59 GMT
zvikam@email.com (zvika) wrote in
news:1fbfb579.0401011435.262f063d@posting.google.com:
> Thomas Hertel <Thomas.Hertel@gmx.net> wrote in message
> news:<m0r8vvg2r4nqgs0ulmjs8v4tqnm34l6ksl@4ax.com>...
>> zvikam@email.com (zvika) schrieb:
>>
>> >Hi,
>> >
>> >I was wondering if anyone know's of an IDS which has the following
>> >feature:
>> >when it detects an outgoing attack (originating from my computer),
>> >it will also check and record the application using the port from
>> >which the attack came.
>>
>> What do you consider being an outgoing attack?
>>
>
> for instance, i get a "ping sweep" alert from my IDS/Firewall (I use
> BlackIce) every once in a while
>
>> >I know this is technically possible on Windows2000/XP, since i use
>> >it in an "offline" manner to monitor open ports, but usually the
>> >"attack ports" are already closed by the time i've seen the alert...
>>
>> Outgoing traffic does not open ports. What are you talking about?
>
> in the above example (ping sweep), the outgoing packets have a source
> port.
> some application initiated that connection and sent that packet, and i
> want to know which application.
I think that the only way you're going to be able to determine the above is
at the machine level. You could use a packet sniffer log like the Ethereal
sniffer log and view the captured packet types and use the NT based O/S's
Audit Process Tracking log which tracks all process starting, stopping and
running on the machine.
If BlackIce is coming in to play as well with some kind of alert and you're
using something like VisualIce to view the BI logs, you should be able to
view all the logs. And using a *when did it happen timeframe approach*,
track it back to what was running on the computer at the time.
But just because you tracked it back to an exe that was running on the
machine at the time doesn't mean it was that exe. It could be something
like a DLL that was using the exe or some other program element like an OXC
as an example.
You may need to use something like Process Explorer or PRCview to look
inside and (exe)/process and review what program elements are using the
exe. Both of the mentioned utility programs are (free).
>> >
>> >Also, if the attack is outgoing from my local network (but not from
>> >my computer), can i have an indication of the original IP (on my
>> >LAN) ?
>>
Yeah, you can to that too if you were using a NAT router as the gateway
device and the router was doing logging of all inbound and outbound traffic
to and from the router/network of machines, which will give the local and
remote IP(s) and ports being used, along with the date and time it
happened.
So, BI is able to alert on a outbound Ping Sweep? If this is ture, then how
did you set BI up to do it?
Duane :)
- Next message: Michael Russell: "Firewall appliance that can do routing?"
- Previous message: mhicaoidh: "Re: Annoying ZoneAlarm Tray Icon"
- In reply to: zvika: "Re: source application for intrusion alerts"
- Next in thread: zvika: "Re: source application for intrusion alerts"
- Reply: zvika: "Re: source application for intrusion alerts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
