|
Bonus Question Provide some high-level metrics about the data (such as most
|
frequently targeted ports, etc) and make some conclusions based on them.
|
Some High Level Metrics | • | CountryData - Geographical Distribution of the Attackers |
|
| • | DetailGraph - Graphical representation of the traffic: 10 minutes per pixel increment |
|
Conclusions / Lessons Learned Every day on the Internet is a busy one.
|
Unfortunately, it is very difficult to analyse JUST firewall logs without full packet payload and without other logging mechanism (such as keylogging shells of honeynet project, sebek and such).
|
The main problem is that a packet to some port (let's say DstPort80 for example) can be several things: a scan, a probe, an exploit, a visitor on the web page, a worm (which one of the many ?), etc etc...
|
The best we can do is trying to find relationships in between the data, and correlate them, and trying to suppose at best what happened.
|
With peer review (thanks to efforts such as dshield and the antivirus vendor's page - and google) it is possible to make MORE sense, and to confirm an otherwise vague idea, sometimes. Or you can find out that it was a stupid idea, some other times, of course.
|
We learned a great deal about working together, and developing / integrating our toolkits ( ToolsUsed). |
We lost a lot of sleep in the process. We sincerely hope you'll enjoy this effort. We keep going on. We have had yet another opportunity to refine the components of what we are using for the production honeynet we are setting up.
|
We hope you can learn some technique, tip, or just feel the 'atmosphere' in which we interacted.
|
Reference Data
|
