In this way it's better to use Snort :-( --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 495 745 89 50 tel +7 495 777 77 07 (1613)
> -----Original Message----- > From: Jason Baeder [mailto:[EMAIL PROTECTED] > Sent: Friday, January 20, 2006 7:30 PM > To: Soldatov, Sergey V.; [email protected] > Subject: Re: [ISSForum] TCP_Port_Scan > > Sergey, > > Tcpdump is your friend ;-) > > Get a laptop, install Linux and run tcpdump on the traffic in > question and correllate it to the ISS events. It's a lot of > work, but the best way that I know of. That's what I intend > to do, but to do it I'll have to pull the traffic from the > tap that SP is already using, thus depriving SP. Not an > acceptable solution. As is often case, the Security Team is > NOT the Network Team and getting a mirror port off a switch > is akin to getting blood from a turnip. In fact I just had a > conversation yesterday about building a box to duplicate the > output from the tap (yes, I know there are taps with multiple > outputs but I don't have one on hand). I will be hunting > around for hardware shortly... > > Jason > > > --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > > > Holger, > > Thank you very much for good explanation! > > But in my case situation is not so simple: I have > TCP_Port_Scan form A > > (in Inet) to B (in LAN) and no other events from A except > > TCP_Port_Scans, no events to A, and the same situation with B: no > > events from B and the only events to B are described TCP_Port_Scans. > > Unfortunately I don't know what to do, here my imagination stops :-( > > > > May be someone has ideas? Logevidence? ISS doesn't allow to switch > > logevidence for desired hosts and if I will log logevidence for all > > scans on sensor (it's gigabit) there will be no ability to > find right > > packets :-( > > > > Thanks > > > > --- > > Best regards, Sergey V. Soldatov. > > Information security department. > > tel/fax +7 495 745 89 50 > > tel +7 495 777 77 07 (1613) > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection > around http://mail.yahoo.com > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
