[Intrusions] [LOGS] Summary of large-scale portscanning detects

Ken Connelly Ken.Connelly at uni.edu
Mon Aug 16 18:51:35 GMT 2004 

They're for correlation.  There used to be several of us who did similar 
things on a(n almost) daily basis.  I'm the only one left.  They're 
purposely marked with [LOGS] in the subject so you have something easy 
to filter on if they bore and/or annoy you.

As to the missing m$ ports, there are so #%^#$#@ many of them that I 
have been forced to drop packets destined for TCP 135 and 445 outside 
the sensor.

- ken

Merton Campbell Crockett wrote:

>My apologies to the list but I don't understand the significance of this
>summary.  It's normal to have systems sweeping through your address space
>turning the door handle to see if its unlocked.
>
>The first block in Sunday's report is, perhaps, the only thing of interest
>in the report.  Unfortunately, the report format doesn't allow us to see
>a complete set of probes targeted at an individual system.
>
>Another curiousity question is why Microsoft RPC/CIFS ports are missing.  
>Looking at my own logs, probes to port 1433 are always paired with probes
>to port 445.
>
>Merton Campbell Crockett
>
>
>
>On Sun, 15 Aug 2004 Ken.Connelly at uni.edu wrote:
>
>  
>
>>The following extracts show the beginning and ending of scan activity
>>was detected on my network.  The number following each set is the total
>>number of probes for that source.  Timestamps are GMT-0500.
>>
>>Aug 14 01:02:10 212.90.254.234:3627 -> xxx.yyy.1.1:21 SYN ******S* 
>>Aug 14 01:02:09 212.90.254.234:3628 -> xxx.yyy.1.1:80 SYN ******S* 
>>Aug 14 01:02:10 212.90.254.234:3629 -> xxx.yyy.1.1:53 SYN ******S* 
>>Aug 14 01:02:10 212.90.254.234:3630 -> xxx.yyy.1.1:25 SYN ******S* 
>>Aug 14 01:02:09 212.90.254.234:3631 -> xxx.yyy.1.1:79 SYN ******S* 
>>Aug 14 01:02:07 212.90.254.234:3632 -> xxx.yyy.1.1:23 SYN ******S* 
>>Aug 14 01:02:07 212.90.254.234:3633 -> xxx.yyy.1.1:110 SYN ******S* 
>>Aug 14 01:02:10 212.90.254.234:3634 -> xxx.yyy.1.1:1433 SYN ******S* 
>>[...]
>>Aug 14 03:02:02 212.90.254.234:4753 -> xxx.yyy.255.254:80 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4752 -> xxx.yyy.255.254:21 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4758 -> xxx.yyy.255.254:79 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4760 -> xxx.yyy.255.254:110 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4756 -> xxx.yyy.255.254:53 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4757 -> xxx.yyy.255.254:25 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4759 -> xxx.yyy.255.254:23 SYN ******S* 
>>Aug 14 03:02:02 212.90.254.234:4767 -> xxx.yyy.255.254:3389 SYN ******S* 
>>710292
>>    
>>
> 
>
>  
>

-- 
- Ken
=================================================================
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa           Cedar Falls, IA  50614-0121
email: Ken.Connelly at uni.edu
phone: (319) 273-5850   fax: (319) 273-7373

It's much more important to know what you don't know than what you do know!

More information about the Intrusions mailing list