RE: [logs] RE: log data?

• Previous message: Bartlett, Mark A.: "[logs] Log Analysis Book"
• Maybe in reply to: Eric Fitzgerald: "[logs] RE: log data?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, I don't have any machines running MS-SQL (lucky me).

My logs show dropped packets (I am using IPchains on this particular host)


Denied packets from 10.229.153.198.
  Port ms-sql-m	(udp,eth3,input): 1 packet(s).
Total of 1 packet(s).

Denied packets from 10.229.42.231.
  Port ms-sql-m	(udp,eth3,input): 1 packet(s).
Total of 1 packet(s).

I find it odd that the probes came from RFC 1918's.
I also have some that came from multicast and broadcast addresses.

I am looking into the logs in my honeypots. I am a bad log-admin. I don't
consolidate
my logs or use central repositories. But I do have the logs in several
places.

I'll post when I know more.

> ----------
> From: 	Eric Fitzgerald
> Sent: 	Tuesday, January 28, 2003 11:46 AM
> To: 	Tina Bird; eric.schultzeat_private; Johannes Ullrich;
> loganalysisat_private
> Subject: 	[logs] RE: log data?
> 
> Investigating- I just returned from OOF and I don't have logs from an
> infected machine yet.
> 
> -----Original Message-----
> From: Tina Bird [mailto:tbird@precision-guesswork.com] 
> Sent: Saturday, January 25, 2003 8:09 PM
> To: eric.schultzeat_private; Eric Fitzgerald; Johannes Ullrich;
> loganalysisat_private
> Subject: log data?
> 
> 
> On Sat, 25 Jan 2003, Johannes Ullrich wrote:
> 
> > oh well.. back to counting packets. BTW: Any idea what this worm looks
> 
> > like in any MSFT application logs?
> 
> So now that the feathers are settling -- anyone have Event Log data
> signatures of Sapphire/SQL Slammer, successful or otherwise?
> 
> thanks -- tbird
> 
> -- 
> I, on the other hand, do not work. I enjoy the slothful life of an
> artist, and while away the hours in meaningless aesthetic pursuits
> punctuated by bouts of hedonistic debauchery and an occasional nap.
>                                               -- David Rinehart
> 
> http://www.shmoo.com/~tbird
> Log Analysis http://www.loganalysis.org
> VPN http://vpn.shmoo.com
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
> 

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Buck Buchanan: "Re: [logs] Novell logs"
• Previous message: Bartlett, Mark A.: "[logs] Log Analysis Book"
• Maybe in reply to: Eric Fitzgerald: "[logs] RE: log data?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 09:54:36 PST