Not Registered? Sign Up Now!
myNetWatchman Privacy Statement

Log in for advanced features

E-mail:

Password:

 
  Remember Me

mNW Reports  FAQ: mNW Reports





(Registered Users Only)


Look Up Incidents by IP Address
 

 

Frequently Asked Questions: Report Descriptions

Incident Reports

The record of a firewall event inlcudes two key identifying details — the time of the event and the Source IP address. myNetWatchman aggregates the firewall events submitted by all its Agents based on these details into "incidents". myNetWatchman then assesses whether incidents seems to be attacks based on the number of Agents reporting them, the time between reports, the particular port and protocol being targetted, and a host of other factors. Incidents that are identified as attacks are "escalated", and an email alert is automatically sent to the ISP responsible for the attacker's IP address. Reports based on myNetWatchman incidents can show us a lot of valuable information, including:

  • Top Port Targets - This report shows ports being targetted most heavily in the past 24 hours.
  • Increasing Port Targets - A relative increase in scan activity against a specific port may indicate that a new trojan has been deployed, an existing trojan is increasing in its proliferation, or a new vulernability has been discovered with a known service. This report can help identify and deal with new threats.
  • Largest Attacks - Last Hour - The size of an attack is based on a score that incorporates many factors, including the number of agents reporting the attack, frequency with which the attack is reported, the number of times each agent reports the attack, and the nature of the vulnerability being exploited.
  • Largest Attacks - 7 days - The size of an attack is based on a score that incorporates many factors, including the number of agents reporting the attack, frequency with which the attack is reported, the number of times each agent reports the attack, and the nature of the vulnerability being exploited.
  • Incidents by ISP - Considering attack data by ISP can help illuminate whether a worm is systematically infecting hosts of that ISP. Note that ISP attack data is not meant to be compared, as they don't take into account the relative sizes of ISPs (100 attacks out of 10,000 subscribers is much worse than 100 attacks out of 1,000,000 subscribers).
  • Resolved Incidents - myNetWatchman sent out 1,022 alerts over the past 24 hours and recipients formally closed 5 incidents. But don't let the lack of responses fool you — system managers are often very glad to get alerts which pinpoint the source of their security problem and normally follow up on them. To date, we've received formal acknowledgement of 28 resolved issues.
  • Look Up Incidents by IP Address - Quickly look to see if a particular IP address is the source of any attacks.

Agent Reports

myNetWatchman aggregates firewall data that is submitted by 305 Agent submitting data from across the globe. If you're not already participating, we encourage you to register now.

myReports

Registered users can see reports that reflect trends in the data they submit. These reports include:

  • myIncidents Events Today - A list hostile incidents that were identified within 24 hours.
  • myEscalated Incidents - Firewall events reported by your system which have been classified as attacks.
  • myPending Incidents - Firewall events reported by your system which have not been classified as attacks. These may be because they are "false positives", or because they don't yet meet our threshhold for identifying them as attacks (ie, number of agents reporting the event, timeframe in which repeat events are reported, etc.)
  • myResolved Incidents - Attacks to your system that were formaly resolved through specific notification by the attacker's ISP.
  • myFirewall Events Per Hour - Shows the number of firewall events your system reports on an hourly basis.
  • myAgent Errors - there are a number of reasons that firewall events from your system might not be read. If you have a significant number of errors, please consult this page.
  • myIncidents from NetBlock - myNetWatchman can be configured to submit firewall data reports based the range of IP addresses used by your network. On-line configuration of this feature will be available soon. If you are interested in using it now, please send a note to support@mynetwatchman.com.
  • IPWatch - Maintains a list of IP addresses from which you have submitted data. If you work on multiple machines, this can be useful to look up their IP addresses from a remote location.
  • Report a Possible Attack - You can submit firewall event data using our webform even if you don't have the myNetWatchman Agent installed.