[unisog] Tool to find ssh attacks in argus logs

Peter Van Epp vanepp at sfu.ca
Mon Nov 5 19:56:24 GMT 2001

> Greetings All,
> 	     Here is a quick perl hack to scan archived argus[1] logs 
> for evidence of ssh attacks.  The current attack that we have seen 
> iterates an offset for the shell code and this script picks up the 
> repeated attempts.  The script is quite specific to this attack and 
> looks for ssh session within a quite narrow size range.
> It has been tested by Peter Van Epp (thanks Peter!) on real data and  
> picked up all know attacks that they had seen and outgoing attacks from 
> machine on the network that had already been compromised.  Peter also 
> modified the script to work with argus 1.8.x (see comments).

	I also just ran the entire month of October through the script and 
picked up a previously missed machine from Oct 27, so it appears to be working
fine even for the ones I didn't already know about :-)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list