[Dshield] 1026-27

Pete Cap peteoutside at yahoo.com
Thu Aug 11 17:32:30 GMT 2005


Paul,
 
Define "noise."
You've excluded 95% of the traffic you see as junk.  The rest should be worth analysing.
 
You can get a lot via traffic analysis.  This is a good place to start:
http://www.giac.org/certified_professionals/practicals/gsec/4025.php
("Netflow analysis for the security professional")
 
You may also benefit from learning about MINDS (Minnesota IDS), a pretty good anomaly-detection system based on data mining:
http://www.cs.umn.edu/research/minds/
 
I am working on a toolkit for performing these kinds of techniques, geared towards the IT Security professional who, like yourself, is zealous in defending his network but perhaps missing some knowledge about what noise and patterns really are, how to find them, and what significance they can have.  Feel free to e-mail me offlist if you're interested.
 
Regards,
 
Pete

Paul Marsh <pmarsh at nmefdn.org> wrote:

Firewall? Hey that's a good idea, only kidding ;) I understand what
they are. I guess I should have been a little more detailed in my first
post. Are the source ports accurate or spoofed? I guess I'm looking
for a way to get to the bottom of this stuff and get it shut down. My
log is split 50% 1026 and 45% 1027, it's a pain in the butt trying to
find legit stuff through all this freaking noise.

Thanx, Paul

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Frank Knobbe
Sent: Thursday, August 11, 2005 12:04 PM
To: General DShield Discussion List
Subject: Re: [Dshield] 1026-27

On Thu, 2005-08-11 at 11:47 -0400, Paul Marsh wrote:
> 1026-27 just keeps rising, any ideas how to stop it?

Uhm.... with a firewall?

Seriously, the vast majority of UDP 1026-1027 are pop-up message, pop-up
spam and pop-up scam alike. You can't do anything to stop them coming
down your Internet pipe, unless you tell your ISP to filter those
upstream.

Log them and report them to DShield if you like, or ignore them. That's
about it.

Cheers,
Frank


--

The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the list mailing list