Logfile Analysis: Identifying a Network Attack

This paper presents an in-depth look into what an automated network attack looks like in the logfiles to better understand the attacks ?after-the-fact?. I will analyze two different attacks: one being easy to determine the type and the intended goal while the other attack is not so cut and dried ? leaving some entertaining researching for readers. I will use two recent logfiles: June 23, 2001 and June 27, 2001 as each of these show an automated attack. I will detail what I see in the logs, attempt to determine the computer(s) involved, the operating system(s) they run, and the tool(s) that were used. I will suggest ways to prevent damage from such attacks and provide links to associated patches, if available.

Tags:

Read the complete paper at SANS