01-19-2005 04:28 PM - edited 02-20-2020 11:52 PM
If I suspect that my network is under attack, what level should I be logging, and what should I be looking for, to tell if someone is attempting to attack my network? Thanks.
01-19-2005 04:42 PM
Warning for logging should be fine.
Take a look for DROP packets from the same source IP. If a SYN Flooding is the problem.
Do you have Public services as http, smtp or others?
I suppose yes, then take a look if you have exessive amount of SYN packets on the protocol.
Easyest way to do that is putting a sniffer in place and do some statistical work.
Another way could be to put a NTOP host on the internet. http://www.ntop.org/ntop.html to see real time traffic.
sincerely
Patrick
01-19-2005 04:47 PM
I normally use 'log buff warn'
Nice and easy to 'clear log' and see up to date entries, nothing clogging your screen up when trying to configure.
Obviously if your pix is letting this straight through, you're not going to see it in the log, but if you're looking for attacks that your pix is currently protecting you from, it will be there.
Tighten up the pix where necessary and you can quickly see any genuine traffic you may have stopped inadvertantly.
01-20-2005 12:13 PM
I'm not a big big specialist as others, but the real good solution is to set it to Notifications. Why?
1. On each access-list apply logging policy.
2. Install Kiwi (any syslog server)
3. You will not be able to determine the attack that's going in a wright way. That's why you need to log all the event's in a case that you will need the evidence.
4. Check all your servers that STATIC command translates. In the Event logs you can find a lot of interesting staff.
And after one day that you capture syslog messages, sit on them for a day, and try to analyze.
I usually do so.
Example is simple:
Somebone usually come to my web-site from such a site www.anonymizer.com/ What does it mean for any security specialist...right! He want's only look on a pictures on my site :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide