Ganu Skop wrote: > I'm pretty much depend on looking for what is not > normal (!=normal) so that I could be able to define if > there is an attack or recon or etc. > Isn't that good if someone have s'thing like what is > normal and what is not normal ? That's definitely a good thing to know! Part of the problem I'm having is that "normal" user activity ends up looking like an attack more often than I expected. That's why I started trying to take note of scenarios where regular users do regular users things which end up causing a lot of logon failures and such in my logs. One example includes using pass through authentication to login from one Windows box to another while having a persistent drive mapping to that server. After the "source" account password is changed, all heck breaks loose as the persistent drive mapping keeps trying to reestablish itself to the other server until either the password on that target server is synched up or the persistent drive mapping is torn down. From the target server's perspective, all you see is a bunch of login failures against a single account. So, you sit and wonder if it's a brute force attack or just a user being a user. As most of us probably do, I start with the worst and hope for the best :/ W K _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 17:46:41 PDT