[Intrusions] [LOGS] Summary of large-scale portscanning detects

Smith, Donald Donald.Smith at qwest.com
Mon Aug 16 18:34:17 GMT 2004 

As a service to this list Ken has been posting his summaries for over a
year now.
MOST of this list used to be log summaries and packets.
It is intended to help you see what is happening on a typical network.
It is also intended to elicit discussion such as WHY is 1433 missing in
Kens reports:-)


Donald.Smith at qwest.com GCIA
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
Everyday is virus day. Do you know where your recovery CDs are? Did u
create them yet?

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> Merton Campbell Crockett
> Sent: Monday, August 16, 2004 10:14 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] [LOGS] Summary of large-scale 
> portscanning detects
> 
> 
> My apologies to the list but I don't understand the 
> significance of this
> summary.  It's normal to have systems sweeping through your 
> address space
> turning the door handle to see if its unlocked.
> 
> The first block in Sunday's report is, perhaps, the only 
> thing of interest
> in the report.  Unfortunately, the report format doesn't 
> allow us to see
> a complete set of probes targeted at an individual system.
> 
> Another curiousity question is why Microsoft RPC/CIFS ports 
> are missing.  
> Looking at my own logs, probes to port 1433 are always paired 
> with probes
> to port 445.
> 
> Merton Campbell Crockett
> 
> 
> 
> On Sun, 15 Aug 2004 Ken.Connelly at uni.edu wrote:
> 
> > The following extracts show the beginning and ending of 
> scan activity
> > was detected on my network.  The number following each set 
> is the total
> > number of probes for that source.  Timestamps are GMT-0500.
> > 
> > Aug 14 01:02:10 212.90.254.234:3627 -> xxx.yyy.1.1:21 SYN ******S* 
> > Aug 14 01:02:09 212.90.254.234:3628 -> xxx.yyy.1.1:80 SYN ******S* 
> > Aug 14 01:02:10 212.90.254.234:3629 -> xxx.yyy.1.1:53 SYN ******S* 
> > Aug 14 01:02:10 212.90.254.234:3630 -> xxx.yyy.1.1:25 SYN ******S* 
> > Aug 14 01:02:09 212.90.254.234:3631 -> xxx.yyy.1.1:79 SYN ******S* 
> > Aug 14 01:02:07 212.90.254.234:3632 -> xxx.yyy.1.1:23 SYN ******S* 
> > Aug 14 01:02:07 212.90.254.234:3633 -> xxx.yyy.1.1:110 SYN ******S* 
> > Aug 14 01:02:10 212.90.254.234:3634 -> xxx.yyy.1.1:1433 SYN 
> ******S* 
> > [...]
> > Aug 14 03:02:02 212.90.254.234:4753 -> xxx.yyy.255.254:80 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4752 -> xxx.yyy.255.254:21 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4758 -> xxx.yyy.255.254:79 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4760 -> xxx.yyy.255.254:110 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4756 -> xxx.yyy.255.254:53 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4757 -> xxx.yyy.255.254:25 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4759 -> xxx.yyy.255.254:23 
> SYN ******S* 
> > Aug 14 03:02:02 212.90.254.234:4767 -> xxx.yyy.255.254:3389 
> SYN ******S* 
> > 710292
>  
> 
> -- 
> BEGIN:				vcard
> VERSION:			3.0
> FN:				Merton Campbell Crockett
> ORG:				General Dynamics Advanced 
> Information Systems;
> 				Intelligence and Exploitation Systems
> N:				Crockett;Merton;Campbell
> EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
> TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
> TEL;TYPE=work,fax:		+1(805)497-5050
> TEL;TYPE=cell,voice,msg:	+1(805)377-6762
> END:				vcard
> 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
>

More information about the Intrusions mailing list