Re: Dealing with script kiddies
From: HaffyHaf (haffyhaf@yahoo.com)
Date: 06/08/02
- Next message: David Clausen: "SMTP Secuirty"
- Previous message: Joe Richards [MVP]: "Re: Dealing with script kiddies"
- In reply to: Michael A. Covington: "Re: Dealing with script kiddies"
- Next in thread: john dobbs: "Re: Dealing with script kiddies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: haffyhaf@yahoo.com (HaffyHaf) Date: 7 Jun 2002 15:18:01 -0700
"Michael A. Covington" <mc@deletethisword.uga.edu> wrote in message news:<#2obDmkDCHA.2296@tkmsftngp05>...
> > I'll tell you what I do and you can feel free to follow my lead or
> > ignore me. :)
> >
> > I scan the logs manually, and also run a script that checks for
> > instances of CMD.EXE and a few others. If I get a repeated attack
> > either over several hours/days or continuous for a significant amount
> > of time, and if I'm pissed because the bagel place was out of garlic
> > bagels, then I hunt down the offending system and their ISP.
> >
> > I have a secret weapon in that we're a municipal government with links
> > to law enforcement networks, including the FBI, so I can let the ISP
> > know these attacks constitute a potential attack on a security
> > infrastructure. Since 9/11, most providers are very sensitive to this
> > and act immediately.
> >
> > Over the years I've gotten a fair number of systems locked off the
> > internet and accounts canceled. It never gets me a garlic bagel, but
> > it makes the onion bagel tatse a little better and that's enough.
> >
> > Sometimes I just have too much time and too little social life... :)
>
> Actually I often play the same role as grumpy old man :)
>
> A few years ago I chaired the committee that developed our acceptable-use
> policy. That involved mainly dealing with the legal and human side of
> security, not the technical side, so I'm not always _au courant_ with the
> names of viruses or the ways to recognize particular technical forms of
> attack.
>
> And, like you, I'm in government.
>
> And, like you, I do a variable amount of checking and reporting depending on
> workload and mood. That actually probably enhances security -- if I don't
> operate with mechanical predictability, people can't predict what I *won't*
> do.
>
> I'm writing an automated log-scanner. Under the .NET API, is it easy to
> make a program send a piece of e-mail?
You might try our icLogAnalyzer at
http://www.independentcommerce.com/Content/icLog_Analyzer_Info.html .
It is free - comes with 3 ASP page - you can configure the settings
ASP page with terms it searches for in your logs. It is currently set
up to check for common Nimda or Code Red Querys. Also - it create an
email link with a pre-formatted message you can send to their ISP.
Their are also links to ARIN and RIPE Who-is databases that with one
click will look up the IP.
I wrote it so I can quickly send a message out. We get anywhere from 6
to 240 scans a day- but often times most are from the same address.
Apparently it only runs through a random number of scans at a time.
Cliff
Independent Commerce
- Next message: David Clausen: "SMTP Secuirty"
- Previous message: Joe Richards [MVP]: "Re: Dealing with script kiddies"
- In reply to: Michael A. Covington: "Re: Dealing with script kiddies"
- Next in thread: john dobbs: "Re: Dealing with script kiddies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
