[Dshield] Resources For Scanning Tool Patterns?
ken at byte-productions.com
Thu Apr 29 19:58:28 GMT 2004
Does a resource exist that maps scanning patterns to a specific tool
For instance, I see this pattern happen multiple times a day:
Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 126.96.36.199:22002 vv.ww.xx.yy:1080 L=40 S=0x00 I=9294 F=0x0000 T=109 SYN (#254)
Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 188.8.131.52:22002 vv.ww.xx.yy:10080 L=40 S=0x00 I=9552 F=0x0000 T=121 SYN (#257)
Apr 22 02:48:16 w9 kernel: Packet log: input DENY eth0 PROTO=6 184.108.40.206:22002 vv.ww.xx.yy:3128 L=40 S=0x00 I=48465 F=0x0000 T=124 SYN (#251)
It always has the same source port an always goes through my IP range
in sequence, and it's pretty obvious that it's looking for proxies.
I know it's something automated, but I just don't know what it is.
Is it a worm? Is it a known tool? If so, where can I find out which
one it is?
I know there are utilities that examine a packet's contents and match
on that (Snort), but what I would like to know is there a utility or
resource that can identify the tool based on, for lack of a better
Ken Schweigert, Network Administrator
Byte Productions, LLC
More information about the list