[Intrusions] [LOGS] Summary of large-scale portscanning detects
Ken Connelly
Ken.Connelly at uni.edu
Thu Sep 16 13:39:56 GMT 2004
Jason "JC" Monroe wrote:
>On Tue, 2004-09-14 at 06:45, Ken.Connelly at uni.edu wrote:
>
>
>>The following extracts show the beginning and ending of scan activity
>>was detected on my network. The number following each set is the total
>>number of probes for that source. Timestamps are GMT-0500.
>>
>>
>
>Since you are so kind as to send these reports every day would you
>consider taking another step and potentially identify the remote
>operating system making use of passive analysis (p0f, etc...) and
>providing that info in another column of your report?
>
>Thanks in advance,
>
>
As they used to say in my math classes, "the proof of this theorem is
trivial, and is left as an exercise for the reader". :-)
What you're asking for is *way* more involved than I have time to be
unless I believe there is a real threat from some of the reported
activity. I certainly don't have the time (nor the desire) to do an
nmap -O on the sources. As far as guessing what's actually generating
the scan, that's often a moving target and generally irrelevant anyway.
I report these individually to the abuse/security address for the source
netblock. I generally get thank yous and real responses from other .edu
sites and some small companies and ISPs. I get standard auto-responses
from some of the big boys. And I get nothing (or bounces) from others.
- ken
>JC
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>
--
- Ken
=================================================================
Ken Connelly Systems and Operations Manager, ITS Network Services
University of Northern Iowa Cedar Falls, IA 50614-0121
email: Ken.Connelly at uni.edu
phone: (319) 273-5850 fax: (319) 273-7373
It's much more important to know what you don't know than what you do know!
More information about the Intrusions
mailing list