Re: Intrusion Statistics

To: Walter Hurry <walterhurry@lavabit.com>
Cc: debian-user@lists.debian.org
Subject: Re: Intrusion Statistics
From: shawn wilson <ag4ve.us@gmail.com>
Date: Fri, 5 Aug 2011 13:31:37 -0400
Message-id: <[🔎] CAH_OBid2V6GmYE-rhHd2oT7U+YQywWXMuSgJXA9y4rsKGr3e-A@mail.gmail.com>
In-reply-to: <[🔎] j1h7pm$df9$2@dough.gmane.org>
References: <[🔎] j1gnme$cjh$1@dough.gmane.org> <[🔎] j1gnvv$cjh$2@dough.gmane.org> <[🔎] CAH_OBic+o+X7tm71sjmchN69VcZJ6zgDrfJRC2qwC4=XOD3yyw@mail.gmail.com> <[🔎] j1h7pm$df9$2@dough.gmane.org>

On Fri, Aug 5, 2011 at 13:03, Walter Hurry <walterhurry@lavabit.com> wrote:
> On Fri, 05 Aug 2011 11:59:51 -0400, shawn wilson wrote:
>
>> 1. How are you figuring the source country? If you're looking at the ip
>> in the handshake and comparing this to a db of ip / country, you're only
>> looking at half of the story. If you're a bit smarter and have a list of
>> border routers that country owns and are looking at that for the source
>> country, this is probably better.
>
> My router emails me with its log when it fills, with entries like these:
> Aug  4 07:52:42  |  Drop TCP packet from WAN (src:58.218.199.250:12200,
> dst:nnn.nnn.nnn.nnn:nn) by default rule
> Aug  4 06:25:53  |  Drop PING request from WAN (ip:200.164.216.90).
>
> I just have a small shell script which reads the emails, extracts the IP
> addresses and does a lookup on my Geo IP database. Nothing elaborate.
>

darn, somehow my email got cut off. however this pretty much showed
half of what i'm getting at:
the statistics don't mean much. maybe the ping stats, but that's about
it. also (as has been stated here) you don't really 'know' what
country this stuff is coming from for many reasons. if you want some
interesting stats, you might look into the 'verizon breech report'
(read their diagnosis and not just the charts too). this is for the
us, so some information might not apply as much to you however....

i have looked at these stats when monitoring snort logs and most of
what you are probably seeing (most of what i saw) was not malicious
data (and at that point, with an ids, you think about how you might
improve the rule so that you don't see that but still see bad stuff).
what you are likely to see if you go into it is:
1. universities and governments mapping and scanning the internet
(sorta fun to look at the source and read up on their projects)
2. badly written programs messing up or malware or kids messing around
3. people actually trying to accomplish something (i've never seen
this in a snort log)

i don't know that i have enough knowledge (or maybe i have not put
enough thought into how to find what you want) to figure out how to
benchmark what you think you have. however, i don't think that your
numbers mean anything. they are numbers, yes, but imo, meaningless.

Reply to:

Follow-Ups:
- Re: Intrusion Statistics
  - From: Walter Hurry <walterhurry@lavabit.com>

References:
- Intrusion Statistics
  - From: Walter Hurry <walterhurry@lavabit.com>
- Re: Intrusion Statistics
  - From: Walter Hurry <walterhurry@lavabit.com>
- Re: Intrusion Statistics
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Intrusion Statistics
  - From: Walter Hurry <walterhurry@lavabit.com>

Prev by Date: Re: Intrusion Statistics
Next by Date: Re: thread issue
Previous by thread: Re: Intrusion Statistics
Next by thread: Re: Intrusion Statistics
Index(es):
- Date
- Thread