SANS inform that there is a significant increase in port 443 scans. They said if you see attacks against https servers, please let them know. If you see something like that, I think you can send your web server logs/IDS logs/Firewall logs to them to confirm whether there is an attack or not.
http://isc.sans.org/diary.html?storyid=2673
Last year, I got the same problems at my client site. One of my team reported to my Security Consultant that she detected series of Attack Response alerts from our Snort IDS. This alert involves 443 port (https). So we analyzed that alert and checked the source IP because the 443 service comes from that source IP. After analyzing that alert, we confirmed that there is no SSL/https related services available on the source IP. It looks like a normal website. There is no https service available on that IP. If there is https service, it should be encrypted. We want to analyze details and make decision about that alert, but we didn't have more resources. Maybe attacker was compromised earlier and installed backdoor/trojan/malware at that IP and used it to communicate through 443 port? Or maybe misconfiguration?? See this link:
http://blog.hazrulnz.net/121/finally-2.html
From my experience, this question is not easy to answer if you only have Snort alerts. It will make this question too difficult to answer. Looking at the alerts, there is nothing else we can do. You cannot give right answer to this question.
That's why I like to use Sguil. Sguil is an open source suite for performing NSM (Network Security Monitoring). NSM equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes, resulting in decreased impact from unauthorized activities.
skip to main |
skip to sidebar
Your Preferred Network Security Solutions Provider
Buy Hacker T-Shirt
Security Pro/Hackers Blog
- HackAreaSoft
- CarnalOwnage
- DigiNinja
- PaulDotCom
- The Hacker News
- Rapid7 Community Blog (Metasploit)
- SANS Pentesting
- Dark Reading
- Darknet- Ethical Hacking n Penetration Testing
- 1337 Exploit Database- inj3ct0r Team
- Exploit Database by Offensive Security
- gunslinger_blog
- IRCRASH
- H4x0re Security Project Official
- Open Information Security Foundation
- Hacking Truth
- Rapid7 Security Blog
- HackingExpose
- Netinfinity Security Blog
- Expert Hackers (Genius Rampal)
- Positive Technologies
- Security Directory
- Premium InfoSecurity Directory
- Online Security Blog
- TokNik
- Semey
- PakBugs
- HackerzHub-Exploits&Vulnerabilities
- Lifedork-Hacking Tutorial
- Offensive Security -Backtrack
- Internet Archive
- 0kn0ck
- Rootsecure
- Security Distro
- Security-Global Perspective
- 360 Security
- SYNful Packet
- Metasploit Blog
- PfSense
- Hack-Tech
- Default Password List
- Security Video
- GeniusHackers.Com
- Computer and Network Security-Mamak Style
- SecurityFocus
- SecurixLive
- HowtoForge
- Anak Melayu Pening
- Trivia Security
- Brettz
- Marco Ramilli
- Raw Packet Community
- Hack In The Box
- Geek00l
- Ayoi
- Hackers Center by Zinho
- SANS- Internet Storm Center
- Bleeding Edge Threat -IDS
- Taosecurity Blog
About NSM Security Solutions
- Johncrackernet
- KL, Kuala Lumpur, Malaysia
- We are one of the network security company in Malaysia. We have our security consultant specialists who can perform penetration testing, network security monitoring, and computer forensic investigation. If you need our services, please email to johncrackernet@yahoo.com
Posts
1 comment:
Can anyone recommend the top performing Managed Service software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central configuration management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
Post a Comment