[Dshield] Analyzing DShield data for indications of possible problems?
sjohnston at cavion.com
Thu Jun 27 16:53:04 GMT 2002
I absolutely agree.
The earlier the warning, the better.
Just let me know what I can do to help.
On Thu, 2002-06-27 at 08:14, Ed Truitt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Yesterday, my team lead (who is also a DShield.org list subscriber)
> and I were talking about something I thought I would pass along to
> serve as a discussion starter. We both have read numerous instances
> of people asking if they have seen an increase in probing / scanning
> activity on this port or that, or from a certain netblock, country,
> or region, etc.
> We talked about the similarities between network scanning / probing
> and other process controls (like a chemical plant or a refinery).
> Specifically, if we could establish a baseline which represents the
> "normal" level of scanning activities, then we could let the
> computers analyze data as it was gathered, and look for
> "statistically significant" events - those which deviate from the
> norm enough that they indicate that something has changed. After
> all, we know that Port 80 scanning activity will drop off around the
> 20th of the month, them pick back up around the first, as this is the
> default behavior for CR/Nimda. So, a change in activity that matches
> that pattern is not something to worry about - unless the level of
> change is significantly different. However, a brief burst of
> scanning on a previously quiet port (SNMP, anyone?) might indicate a
> recon, prior to unleashing a new worm (I remember seeing this pattern
> before SQLsnake showed up.) Also, a change in the amount of activity
> from a specific geographical region/netblock might indicate
> preparations for a cyber-attack. Such information might help ISS
> alert sysadmins to batten down the hatches, and might allow us the
> time to mitigate, if not eliminate, the damage such an attack could
> DShield.org has the data. Does anyone else see value in approaching
> scans/probes/hacktivity from this perspective (process control)? It
> seems to me to be a better approach than people asking "have you
> Ed Truitt
> PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
> "Note to spammers: my 'delete' key is connected to YOUR ISP.
> Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> -----END PGP SIGNATURE-----
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list