[Dshield] SQL Port 1433

Kelly Martin kellym at fb.org
Wed May 22 18:02:46 GMT 2002


The "tool" I use for scan detection is incorporated into the Perl scripts to
parse the logs that are generated by our PIX and sent via syslog to an
interior Linux box.  A scan is defined as any incident in which the same
source hits more than one distinct port or more than one distinct target
host in a 300 second interval.  Packets which are not blocked by the
firewall do not figure into this determination as the firewall does not
report them (I could make it do so, but that would really enburden my
logging machine).  

I am not currently willing to share these scripts, in part because they are
hacked together quite sloppily, and in part because I am in the process of
rewriting them.  Sorry.

Kelly

-----Original Message-----
From: Abel Ordoñez [mailto:aordonez at infocorp.com.pe]
Sent: Wednesday, May 22, 2002 12:06 PM
To: list at dshield.org
Subject: RE: [Dshield] SQL Port 1433
Importance: High


Hi

Please send me a Scanner Name or web page with this tool

Thanks

Abel





More information about the list mailing list