[Intrusions] [LOGS] Summary of large-scale portscanning detects

Michael Fischer michael.fischer at dir.state.tx.us
Tue Aug 17 13:30:28 GMT 2004 

Thank you for asking the question that I'm sure many of us have been
thinking. As a "new" guy to the list, I often wondered the same thing.
All the answered were good, and now I understand. I've been using the
posts for just a basic idea of what was new, or unusual, and wondered if
I was missing some grander plan of why they were there.

Sometimes, I think the "older" guys on the list get in their routines
and forget about the newer observers...  ;)

Cheers!
Michael

Michael Fischer
Security Analyst
Department of Information Resources/Security Office
>>> mcc at CATO.GD-AIS.COM 08/16/04 11:14 AM >>>
My apologies to the list but I don't understand the significance of this
summary.  It's normal to have systems sweeping through your address
space
turning the door handle to see if its unlocked.

The first block in Sunday's report is, perhaps, the only thing of
interest
in the report.  Unfortunately, the report format doesn't allow us to see
a complete set of probes targeted at an individual system.

Another curiousity question is why Microsoft RPC/CIFS ports are missing.
 
Looking at my own logs, probes to port 1433 are always paired with
probes
to port 445.

Merton Campbell Crockett



On Sun, 15 Aug 2004 Ken.Connelly at uni.edu wrote:

> The following extracts show the beginning and ending of scan activity
> was detected on my network.  The number following each set is the
total
> number of probes for that source.  Timestamps are GMT-0500.
> 
> Aug 14 01:02:10 212.90.254.234:3627 -> xxx.yyy.1.1:21 SYN ******S* 
> Aug 14 01:02:09 212.90.254.234:3628 -> xxx.yyy.1.1:80 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3629 -> xxx.yyy.1.1:53 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3630 -> xxx.yyy.1.1:25 SYN ******S* 
> Aug 14 01:02:09 212.90.254.234:3631 -> xxx.yyy.1.1:79 SYN ******S* 
> Aug 14 01:02:07 212.90.254.234:3632 -> xxx.yyy.1.1:23 SYN ******S* 
> Aug 14 01:02:07 212.90.254.234:3633 -> xxx.yyy.1.1:110 SYN ******S* 
> Aug 14 01:02:10 212.90.254.234:3634 -> xxx.yyy.1.1:1433 SYN ******S* 
> [...]
> Aug 14 03:02:02 212.90.254.234:4753 -> xxx.yyy.255.254:80 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4752 -> xxx.yyy.255.254:21 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4758 -> xxx.yyy.255.254:79 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4760 -> xxx.yyy.255.254:110 SYN
******S* 
> Aug 14 03:02:02 212.90.254.234:4756 -> xxx.yyy.255.254:53 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4757 -> xxx.yyy.255.254:25 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4759 -> xxx.yyy.255.254:23 SYN ******S*

> Aug 14 03:02:02 212.90.254.234:4767 -> xxx.yyy.255.254:3389 SYN
******S* 
> 710292
 

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information
Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard


_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list