IDS Report for March 2003
Network Intrusion Detection is a system that monitors the traffic on a network for data associated with patterns known to be associated with potentially malicious traffic.

A Network Intrusion Detection System is one component of a corporate security policy used to maintain awareness of network activity, identify potential causes for alarm, and reduce the threat should an attack actually occur.

Each section provides intrusion detection details unique to this server, generated automatically by the Guardian Digital Intrusion Detection System. Information including the most severe types of attacks, the most frequent types of attacks, and even attacks by port number can be analyzed here.


 
  Top 10 Source IP Attacks

Each time the system detects a potential attack, the IP address of the originating host is recorded. The graph above displays a breakdown of the ten source IP addresses that the system recorded as most active.

Click on one of the links to the right to display details about each of the top ten IP addresses.



















    Attacks  Source IP Address
  34 209.10.240.65
 
  20 221.6.145.34
 
  8 209.10.205.195
 
  3 61.144.97.118
 
  3 219.138.8.180
 
  2 200.152.200.226
 
  2 64.236.200.50
 
  2 213.41.80.178
 
  2 194.202.220.101
 
  2 209.45.3.2
 
 
  Top 10 Most Severe Attacks

The severity rating system established by Guardian Digital provides a method to quickly identify the current threat as seen by the intrusion detection system.

This is one method that can be used to determine the level of risk, and determine the best course of action for a particular class of attack.
 
Level 5: Low
             
  Everyday network incident activity
Level 4: Moderate
             
  Heightened awareness
Level 3: Medium
             
  Potentially significant event
Level 2: High
             
  Known attack type
Level 1: Extreme
             
  Policy violations, attacks involving multiple systems, or other event of a very significant nature
 
The Guardian Digital IDS enables organizations to concentrate on their core business while maintaining a continued high degree of security.



















  Severity Attacks Attack
  2 2 MS-SQL Worm propagation attempt
 
  2 2 WEB-CGI formmail access
 
  2 2 ICMP redirect host
 
  2 2 ICMP redirect net
 
  2 2 SCAN Squid Proxy attempt
 
  1 1 WEB-IIS ISAPI .ida attempt
 
  1 1 WEB-IIS cmd.exe access
 
  WEB-MISC webdav search access WEB-MISC webdav search access WEB-MISC webdav search access
 
  SCAN Proxy \(8080\) attempt SCAN Proxy \(8080\) attempt SCAN Proxy \(8080\) attempt
 
  WEB-MISC bad HTTP/1.1 request, potentual worm attack WEB-MISC bad HTTP/1.1 request, potentual worm attack WEB-MISC bad HTTP/1.1 request, potentual worm attack
 
 
  Total Attacks by Class

Attacks grouped by their classification can be used to determine if a particular type of attack may be applicable to the systems on your network. Remote attackers typically do not first determine the type of systems that may be on your network, but instead launch random scripted attacks.




















  Attacks Attack Class
  4 Information Leak
     
  35 Generic ICMP event
     
  17 Misc activity
     
  34 Attempted Information Leak
     
  4 Web Application Attack
     
 
  Total Attacks by protocol

The TCP/IP Internet model is the most frequently used means to communicate between systems today. Knowing the type of protocol used by an attacker can help determine if firewall policies need to be adjusted, and assists in establishing patterns over time.

This graph can help determine if systems are being probed or attacked at the network, application, or protocol layer, providing additional information for security administrators to better protect their network.



















  Attacks Attack Class
  34 ICMP - Internet Control Message Protocol
 
  25 TCP - Transmission Control Protocol
 
  35 UDP - User Datagram Protocol
 
 
  Ten Most Common Attacks

As exploits are developed and released to attack vulnerable systems on the Internet, these graphs can be used to determine the latest attempts at using these attacks on your systems.

The ability to provide some level of advance warning provides system administrators prepare and monitor their potentially vulnerable systems.



















  Attacks Attack Class
  35 MS-SQL Worm propagation attempt
 
  17 ICMP redirect net
 
  17 ICMP redirect host
 
  9 WEB-IIS cmd.exe access
 
  8 WEB-IIS ISAPI .ida attempt
 
  2 WEB-CGI formmail access
 
  2 SCAN Squid Proxy attempt
 
  1 WEB-MISC webdav search access
 
  1 SCAN Proxy (8080) attempt
 
  1 WEB-MISC bad HTTP/1.1 request, potentual worm attack
 
 
  Ten Least Common Attacks

It is important to monitor infrequent attack attempts as attentively as attacks attempted regularly. Attack attempts trying to evade detection may only occur once or twice in the blackhat's efforts to find the weakest point of the network.



















  Attacks Attack Class
  1 WEB-MISC webdav search access
 
  1 WEB-MISC bad HTTP/1.1 request, potentual worm attack
 
  1 ATTACK RESPONSES 403 Forbidden
 
  1 SCAN Proxy \(8080\) attempt
 
  2 WEB-CGI formmail access
 
  2 SCAN Squid Proxy attempt
 
  8 WEB-IIS ISAPI .ida attempt
 
  9 WEB-IIS cmd.exe access
 
  17 ICMP redirect host
 
  17 ICMP redirect net
 
 
  Ten Most Common Services Attacked

The standard services that are used to communicate with hosts on the Internet run at universal locations on each host, called ports. Common services such as SMTP or FTP are scanned by blackhats for activity at their known location, then an attack is launched in an attempt to compromise the host.

Reports of activity on services that are not active may indicate a firewall policy change, while activity on active ports may indicate further attention is required.



















  Attacks Service Attacked
  35 1434
 
  21 80
 
  2 3128
 
  1 63257
 
  1 8080
 
 
  Summary of Attacks by Protocol over Time for March 07, 2003