How to monitor attacks against my IP?

Hi,

I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)

It has a built in firewall which seems to do a good job.

I was wondering how I would go about monitoring any malicious probes
against my IP. Is there some free software to do this?

Cheers

zeebop

the router will probably make logs.. you just need to find out how to get to
them


"zeebop" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)
>
> It has a built in firewall which seems to do a good job.
>
> I was wondering how I would go about monitoring any malicious probes
> against my IP. Is there some free software to do this?
>
> Cheers
>
> zeebop

Then there're "intrusion detection" systems.
We run one at work. In fact, UNIX group does.
What a load of bollocks. It always indicates we're under attack.

(When you cry wolf too often no one is to help when wolf is there...)
--
_______________________
Maximillian!


"Lek" <(E-Mail Removed)> wrote in message
newsXXTa.346$(E-Mail Removed)...
> the router will probably make logs.. you just need to find out how to get
to
> them
>
>
> "zeebop" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)
> >
> > It has a built in firewall which seems to do a good job.
> >
> > I was wondering how I would go about monitoring any malicious probes
> > against my IP. Is there some free software to do this?

In English?

"Maximilian K." <(E-Mail Removed)> wrote in
message news:5S1Ua.4$(E-Mail Removed)...
> Then there're "intrusion detection" systems.
> We run one at work. In fact, UNIX group does.
> What a load of bollocks. It always indicates we're under attack.
>
> (When you cry wolf too often no one is to help when wolf is there...)
> --
> _______________________
> Maximillian!
>
>
> "Lek" <(E-Mail Removed)> wrote in message
> newsXXTa.346$(E-Mail Removed)...
> > the router will probably make logs.. you just need to find out how to
get
> to
> > them
> >
> >
> > "zeebop" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi,
> > >
> > > I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)
> > >
> > > It has a built in firewall which seems to do a good job.
> > >
> > > I was wondering how I would go about monitoring any malicious probes
> > > against my IP. Is there some free software to do this?
>
>
>

On Fri, 25 Jul 2003 09:22:09 +0100, "Lek" <(E-Mail Removed)> wrote:

>In English?

or upside down ?

(That there's probably no point worrying about the "attacks" as the
reporting of same can get you paranoid, and if there are reports at
1 minute intervals, you'd not spot a true attack anyway! BICBW.)

"Peter Morgan - 0870 432 9631" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) .net...
> On Fri, 25 Jul 2003 09:22:09 +0100, "Lek" <(E-Mail Removed)> wrote:
>
> >In English?
>
> or upside down ?
>
> (That there's probably no point worrying about the "attacks" as the
> reporting of same can get you paranoid, and if there are reports at
> 1 minute intervals, you'd not spot a true attack anyway! BICBW.)

My point is: a decent intrusion detection system shouldn't cry murder all
the time.

Because, if it does so, the real attack can be easily missed - because huge
number of false alarms will make those attack reports not worth attention.

The IDS we have at work, always says we're under attack. Hence the verdict:
"loads of b--x".
Don't blame me, UNIX guys run it. :-)

_______________________
Maximillian!


>

Well actually I think you are incorrect. Due to the nature of the internet
(networking) and attacks .... normal internet background noise and attacks
can look very similar. Therefore intrusion detection has to be easily tuned
to get the right balance.

"The IDS we have at work, always says we're under attack. Hence the verdict:
> "loads of b--x"."

In this case your intrusion detection needs "tuning", if it can't be tuned
THEN it is a load of bollox... if it can be tuned and isnt ... then it is
the fault of the administrator in charge of that particular piece of
equipment.



"Maximilian K." <(E-Mail Removed)> wrote in
message news:h1jUa.1146$(E-Mail Removed)...
>
> "Peter Morgan - 0870 432 9631" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) .net...
> > On Fri, 25 Jul 2003 09:22:09 +0100, "Lek" <(E-Mail Removed)> wrote:
> >
> > >In English?
> >
> > or upside down ?
> >
> > (That there's probably no point worrying about the "attacks" as the
> > reporting of same can get you paranoid, and if there are reports at
> > 1 minute intervals, you'd not spot a true attack anyway! BICBW.)
>
> My point is: a decent intrusion detection system shouldn't cry murder all
> the time.
>
> Because, if it does so, the real attack can be easily missed - because
huge
> number of false alarms will make those attack reports not worth attention.
>
> The IDS we have at work, always says we're under attack. Hence the
verdict:
> "loads of b--x".
> Don't blame me, UNIX guys run it. :-)
>
> _______________________
> Maximillian!
>
>
> >
>
>

I have a firewall box at home that gives me reports of what traffic has been
trying to get to my network - I get loads of info all the time that the
Internet link is active.

The box is using Snort that logs details of what ports were scanned etc
etc - sometime these are a reslt of visiting certain web pages that try to
assess your system. There are also a lot of scans of my system to attack my
web/SQL servers etc that I am not running - these are mostly automated
attacks. It is not bollocks it just idicates that there are a lot of
compromised systems on the Internet that are being used to find and attack
systems that dont have upto date security patches appplied.

If you attach a system to the Internet you will get attacked randomly just
to see if you are running anything that can be hacked easily.

Yesterday I had two scans for "MS-SQL Worm propagation attempt" lots of
attempts to attach to MS filesharing system quite a few attempts at web
server and assorted other attacks - I was only on for a few hours yesterday.

I am runing www.ipcop.org on seperate machine

Maximilian K. wrote:
> Then there're "intrusion detection" systems.
> We run one at work. In fact, UNIX group does.
> What a load of bollocks. It always indicates we're under attack.
>
> (When you cry wolf too often no one is to help when wolf is there...)
>
> "Lek" <(E-Mail Removed)> wrote in message
> newsXXTa.346$(E-Mail Removed)...
>> the router will probably make logs.. you just need to find out how
>> to get to them
>>
>>
>> "zeebop" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi,
>>>
>>> I have an Alcatel Speedtouch 510 (4 port hub/router/adsl modem)
>>>
>>> It has a built in firewall which seems to do a good job.
>>>
>>> I was wondering how I would go about monitoring any malicious probes
>>> against my IP. Is there some free software to do this?

"Keith Roberts" <(E-Mail Removed)> wrote:

> I have a firewall box at home that gives me reports of what traffic has
been
> trying to get to my network - I get loads of info all the time that the
> Internet link is active.
>
> The box is using Snort that logs details of what ports were scanned etc
> etc - sometime these are a reslt of visiting certain web pages that try to
> assess your system. There are also a lot of scans of my system to attack
my
> web/SQL servers etc that I am not running - these are mostly automated
> attacks. It is not bollocks it just idicates that there are a lot of
> compromised systems on the Internet that are being used to find and attack
> systems that dont have upto date security patches appplied.
>
> If you attach a system to the Internet you will get attacked randomly just
> to see if you are running anything that can be hacked easily.
>
> Yesterday I had two scans for "MS-SQL Worm propagation attempt" lots of
> attempts to attach to MS filesharing system quite a few attempts at web
> server and assorted other attacks - I was only on for a few hours
yesterday.
>

I totally agree. The problem with an IDS is when people do not use it
correctly. Looking at every exploit rarely shows anything. I also use
snort, and have two sensors working, one on my external unfiltered
interface, the second on the inside of my firewall. I then have snort
insert all attack data into a mysql database on a different machine. This
machine runs an apache web server, and ACID (Analysis Console for Intrusion
Detaction).

In combination, this allows me to see that my firewall is indeed blocking
the attacks I expect it to block by comfirming that data picked up on the
external sensor never gets to the internal sensor. In addition, ACID allows
me to search for attacks from a unique IP address. In the case that a large
number of exploits are attempted in a fairly short space of time, I can then
conclude that those attacks are an attempt to hack my network. Only then
would I bother to contact the users ISP and report the attack. Such attacks
have been fairly rare, but I have had to file about 5 abuse reports in the
last 6 months. However, this is getting a bit OT for this group.

--

Martin