I recently had a migration from one internet uplink to another to do for a client. As with many organizations, they have about 40% of their workforce at head office, and 60% (and sometimes more) of their workforce operating remotely, so taking the Firewall and especially the VPN services offline is a very big deal. There is no good time to take things down given that their sales force has people in just about every time zone, there are just times that are "less bad" than others.
If you've found malware with plain old text logs as a primary source or using a log analysis tool, please let us know using our comment form!
===============
|
Rob VandenBrink 578 Posts ISC Handler Dec 3rd 2013 |
Thread locked Subscribe |
Dec 3rd 2013 8 years ago |
A couple of jobs ago I did a lot of work on the firewall logs, and found tons of malware, misconfigured systems, adware from browser helper objects, "funny behavior" (ie: every time you print to a certain printer, it opened a connection to a server on the internet). I found it all just by doing traffic analysis on the firewall and bluecoat logs. A lot of bad traffic I could find by just grouping source ip /destination ip/destination ports together and seeing what runs 24/7.
|
Kenneth 11 Posts |
Quote |
Dec 3rd 2013 8 years ago |
Hi Rob,
Thx for your diary, Don't remember checking icmp payload, few times it's interesting for finding what tool or another used... Regards @Rmkml |
Rmkml 11 Posts |
Quote |
Dec 3rd 2013 8 years ago |
Quoting comment#28616:Spam on the isc web site... Wow that's embarassing.... |
Anonymous |
Quote |
Dec 4th 2013 8 years ago |
We reject about 100+ spam signups a day. Once in a while something slips through. In some cases they look like they are manually entered.
|
Johannes 4479 Posts ISC Handler |
Quote |
Dec 4th 2013 8 years ago |
I work in an enterprise, so lots of devices.
We have closed our firewalls for most outgoing traffic, including web. That has to go through a proxy. As a result, when I look at rejects on the inside FW, I see so much noise that it is impossible to get operations to clean the stuff up. It is printers, it is one machine talking to another on a decomissioned subnet, you name it, we got it. Even though our rules says to never route 192.168.x.y, we see traffic to those, and from those. Shows that anti-spoofing would make a difference even on an internal netwrk. |
Povl H. 79 Posts |
Quote |
Dec 4th 2013 8 years ago |
Yes, same here. The ops folks don't care about what their stuff is doing or how it's doing it as long as the system appears to be working and clueless managers don't get it either. Fairly clean attempted egress logs means it's a snap to see an infected or unauthorized machine. Just keep gently pushing because some day you'll need those CYA emails and meeting notes to demonstrate why your company was owned and you didn't notice in a timely manner. Nothing will change until managers adopt a performance goal of "no re-work" and they will go on arguing that they have better things to do than clean up the mess they never should have allowed in the first place. It's just another aspect of our chosen careers.
|
Anonymous |
Quote |
Dec 4th 2013 8 years ago |
Quoting Povl H.:I work in an enterprise, so lots of devices. |
Brent 133 Posts |
Quote |
Dec 4th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!