Do anyone of you know of a tool that can accept a list of ip-addresses and spit out their origin.
I have a list of addresses that have scanned and attacked a target over night.
I wish to show what good use we have of our firewalls and wants to show my boss what great job they are doing so he can in his turn show the bosses over him what great job we are doing and make it easier for him to ask for more money for more security hardware and education and stuff.
For that paper I would like to show from where the attacks origin.
Preferably what country but I would settle for continent if need be.
Today I do about 100 of the attacking ip addresses over a month and check them via whois and then give an aproximation, but this is quite booring work and I realise that there must be someway to do this automagically and to save time and money
so what software can I use to make this happen every day ?
(for this example I use a 10. network but in reality this would be realworld ip adresses)
This is just my 2 cents worth of comment. If you ask me, i would rather not purchase these tools and instead turn on the security features in the Cisco ASA e.g. threat detection.
The reason I say this is because even if you know where the origin of the attack came from, that information is useless simply because most of the time, if not all the time, these IP addresses are spoofed.
I would rather focus my attention on securing my network with features available by Cisco, and show to the top management the number of network attacks detected and countered upon, than to show a nice graph which sometime really means nothing.
Over to you bro :-)
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
I already have the threat detection up and running, and IDS.
But it is not good enough.
So I have setup my own early warning system by just adding addresses and ports that is not in use and thus created sort of a honeypot/net or tripwire via deny access-lists and statics going to addresses not in use. Anyone trying to connect to the addresses or ports works like a tripwire so we know they are not a legitimate visitor.
and by logging those addresses and ports I can set filters and directly see when something hits those ports.
it also gives good statistics on what ports they are trying to access.
When it comes to spoofing ip addresses I can tell you that we see that most of the time they are actually not spoofed.
but many times they are hosts taken over and used for scanning. However sometimes we can se that the agressor is trying to hide itself via using several spoofed addresses when they scan, to make it difficult to say wich one was scanning, but that is quite rare. Simply because they do not need to do that since they are scanning from a victim address ie not something that will lead me to them. Since I get a early heads up I can automatically track them during their scans.
If Cisco would setup a "honeypot" feature in the ASA I think that would give a load of information to help out the admins.
fx a honeypot ssh deamon that can give information on who is trying to access and what accounts and passwords encryption keys and so on so that the admins can know what the attackers are up to.
So I do see your point but I respectfully disagree.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :