[unisog] registering servers

Gary Flynn flynngn at jmu.edu
Fri Jul 28 01:04:44 GMT 2006


Tim Eden (te) wrote:

> To those people that have a default deny policy and spent time 
> beforehand monitoring traffic and deciding which servers to allow 
> through initially - what sort of tools/methodology did you use to do this?

tcpdump to collect the data:

(tcp[tcpflags] & tcp-syn != 0) and (tcp[tcpflags] & tcp-ack != 0)
and src net 134.126
and not src net 134.126.xx
and not src net 134.126.yy
and not src net 134.126.zz
and not dst port 20

We also had BPF statements to parse out common servers and, at
one time, parsed out ones we'd already found but after a point
the list got long enough that tcpdump performance was
impacted quite a bit.

Some ugly perl code parsed the pcap files to parse out scans and
things like servers on port 6346. Then it generated a bunch of
files like:

/serverIPPortPairByActivity.txt
/serverPortCountsByServer.txt
/serverPortCountsByNumPorts.txt
/serverPortIPPairByActivity.txt

In the end, some unscientific, tedious eyeball data analysis using
those files with "don't impact operations" the primary goal. That
resulted in grandfathering in more servers than necessary but we
still managed to unexpose 85% of the populated address space (plus
all the unpopulated address space). We're still sporadically working
through the grandfathered list manually when we have idle cycles
to spare.

We also polled departments ahead of time to get lists from them
whenever possible.

I don't remember blocking more than 2 or 3 mistakenly.

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2836 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.dshield.org/pipermail/unisog/attachments/20060727/6679a0b0/attachment.bin 


More information about the unisog mailing list