[Dshield] Resources For Scanning Tool Patterns?

Ken Schweigert ken at byte-productions.com
Thu Apr 29 19:58:28 GMT 2004


Does a resource exist that maps scanning patterns to a specific tool
or worm?

For instance, I see this pattern happen multiple times a day:

Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 221.168.189.153:22002 vv.ww.xx.yy:1080 L=40 S=0x00 I=9294 F=0x0000 T=109 SYN (#254)
Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 221.168.189.153:22002 vv.ww.xx.yy:10080 L=40 S=0x00 I=9552 F=0x0000 T=121 SYN (#257)
Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 221.168.189.153:22002 vv.ww.xx.yy:3128 L=40 S=0x00 I=48465 F=0x0000 T=124 SYN (#251)

It always has the same source port an always goes through my IP range
in sequence, and it's pretty obvious that it's looking for proxies.  
I know it's something automated, but I just don't know what it is.  
Is it a worm?  Is it a known tool? If so, where can I find out which
one it is?

I know there are utilities that examine a packet's contents and match
on that (Snort), but what I would like to know is there a utility or
resource that can identify the tool based on, for lack of a better 
word, "behaviour"?

-- 
Ken Schweigert, Network Administrator
Byte Productions, LLC
http://www.byte-productions.com




More information about the list mailing list