[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Who is scanning what

To: Lance Spitzner <spitzner@dimension.net>
Subject: Re: [FW1] Who is scanning what
From: Paul V. Alukal <palukal@ra.hpw.stf.bms.com>
Date: Fri, 30 Apr 1999 11:13:28 -0400 (EDT)
Cc: fw-1-mailinglist@softwhisper.us.checkpoint.com, ids@uow.edu.au


I'm not surprised to hear that more and more networks are being
scanned, due to the availability of numerous free and powerful network
tools available on the net.

However I think (from my experience on commercial and other intrusion
detection systems - I haven't used your ids technique using fw1), there
could be many false positive readings, and one need to tune the software
to figure out what exactly is happening.

Also remember, the greatest real threat to any network comes from
inside (insiders who have access to protected systems), and not
from outside.

Paul V. Alukal
Consultant  ( http://www.securedigit.com )
Bristol-Myers Squibb Company
Princeton


On Fri, 30 Apr 1999, Lance Spitzner wrote:

> 
> As several of you may know, I have been tracking
> scans to a specific network using an IDS script
> developed for Check Point Firewall 1.
> http://www.enteract.com/~lspitz/intrusion.html
> 
> Below you will find the scan statistics.  You should
> find these numbers signifigant because the network scanned
> is a small 6 IP network (255.255.255.248), it has
> no commercial signifigance and is relatively unkown.
> In other words, if this little network is getting scanned,
> then so is yours.  Many of these scans have been confirmed
> by other members of the Check Point community.
> 
> --- Scan results for the month of April ---
> 
> >From 1 to 30 April, the network was scanned by
> 73 unique hosts.
> 
>   13 telnet
>   13 imap
>   12 domain-tcp (zone transfers)
>   11 ftp
>   10 Back_Orifice
>    7 portmapper
>    4 pop-3
>    3 smtp
> 
> --- snip snip ---
> 
> For more information on these scans, check out the actual
> scan logs at 
> http://www.enteract.com/~lspitz/alert.log
> 
> I would classify most of the scans as "script kiddie" 
> attacks.  To learn more about script kiddie tools and
> methodologies, check out
> http://www.enteract.com/~lspitz/enemy.html
> 
> Hope this info helps :)
> 
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> Internetworking & Security Engineer
> Dimension Enterprises Inc
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Securemote
Next by Date: [FW1] Logviewer question.
Prev by thread: [FW1] Who is scanning what
Next by thread: [FW1] GUI client for Win95?
Index(es):
- Date
- Thread