Disclaimer: the views expressed in this article are those of the author and not his employer, management, fellow lackies, or family.
So you have a boat load of vents or correlate, and no big budget automated tools. Well , you may have some tools, but its likely that they aren't login up to to sales hype.
Lets look at some basic tools. Your event is typically a source IP address, a destination IP address and maybe a port number.
First off, work out the DNS names. You can use nslookup for internal IP addresses and websites such as ipvoid and speedguide.net for external addresses.
Google the port number and see what the web says are common sues of the port.
For internal windows systems, get sysinternals tools, particularly psloggedon.exe which can tell you who's logged onto the internal system.
If psloggedon doesn't work, try connecting to the c$ administrative share of the windows system and looking at the user profiles folders under the users folder.
These basic tds can get your started.
For a small network, see if you can get a security onion system or a Trisul system with is span port on the outside o you dmz. This can give you all this info and more with the click of an icon or two ifrerly configured.
Cheers and more next time.
S. Russell. Dyer BS CNE CISSP CRISC Security+ CICP
Information Security Analyst and mobile device geek.
No comments:
Post a Comment