Tuesday, March 4, 2014

Day 1 review

With the first day logged running the out of the box KFSensor some interesting points

  • I've logged 481 unique visitors
  • Those 481 visitors generated 2498 events
  • Several appear to be crawlers (IPV4scan.com, Google (via anon FTP trying to find robots.txt)
  • Hits for many common services (IIS, telnet, SQL server, ftp, web proxy, ssh, rdp, vnc, smtp, pcanywhere ???, Synology web ui)
  • The majority of the events were brute force attempts on MS SQL for the sa account that looked to be a scripted using the osql utility.

So far only I'm just 1 day into testing KFSensor.  I am using a default configuration right now but poking around into the options to customize I'm really liking how open it is for creating your own scenarios and signatures.  You can also make a custom rule for a port to behave however you so chose.  The trial version seems to have limited reporting but does keep raw logs.  It does show to support logging to MSSQL or MYSQL so I will likely look at doing that next to allow for better reporting and data analysis.

Once I have a bit more data collected I may take a different approach once I see what the high frequency traffic I am getting and may use a bit more custom bait to see what happens if I provide a bit more.

No comments:

Post a Comment