|
Question N4
What are the different scan patterns (sequential, etc) you can notice? Do you think all come from different attack tools? Any long term ("low and slow") scanning activity?
|
Things We Looked At We had several ideas, and we've thought of different strategies.
|
Some have been succesful (and practical too) while others haven't.
|
Should we maybe work on the TcpFlags ? Or how do we identify types of scans otherwise? |
More analysis using this method can be read at the TcpFlags page. |
For the LONG TERM AND SLOW activity, we need to generate statistics of this kind:
|
| • | For each address, how many events per day. ( Start from Timeline ) |
|
| • | Addresses which appear more often (every day or so) but with just a probe or two, instead of a massive scan, are the PRO's :-) |
|
...this second point especially, is also interesting for Question8 . Those are the scary guys! The nearly invisible, rather than the massive worms... |
That is, assuming you have patched, of course, but in general we don't like to 'sensationalise' but rather spot those dangerous few ones....
|
Port Scans | • | TcpFlags - With more specific analysis of some known scan types (those NMAP scans) |
|
| • | Spikes in traffic from various addresses |
|
| • | DstPort113 some analysis of FTP scans came out while looking at identd |
|
We found it really difficult to divide 'scans' from 'recoignassance activity'. We never quite reached an agreement on these definitions. They can simply be interpreted in several ways. Part of the answer to this question can be thus found in Question3 , and vice-versa. |
Long Term Scanning Activity | • | DstPort901 - The very same sequence of scan is seen twice: it is observed on the 13th and on the 17th of the month |
|
| • | 69.133.57.67 - Some consideration on Slow and Stealth activity |
|
Other Pages
|
