Re: Handling Scans.

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Mon, 12 Feb 2001 11:30:35 -0600 abel wisman <abel () able-towers com>
wrote:

> This matter is interesting, and i was thinking about it upion reading the
> previous posting.
> As a shell/web host, the numbers of scans that pass by daily are staggering,
> certainly i would like to sit down and write to all isp's about their
> 'clients" doing this, however time is a elusive artivle nowadays.
>
> Has (in addition to the question already asked) anybody mae (perhaps) a
> automated system based on for instance iplog, snort or tripwire, where mail
> is generated to do this automatically?

I have a semi-automated system based on locally written perlscipts
which uses argus to detect scans, and some cgi scripts that allow me to
quickly look up contacts and construct mail messages.  I am thinking of
having the script that records the scans automatically do a whois.

With this setup I can report a scan in about two minutes, assuming
contact information is reasonably straight forward.

I have just about given up reporting scans from windows trojans,
currently I know of nearly 200 addresses (mostly in the same /8 address
space as us) which are engaging on slow scans of udp 137 or tcp 524.

What I have been doing recently is picking a batch of reports from a
single site and firing off a quick note saying "I think the following
machines may be infected with a worm..."

When I last looked at my list there were a couple of /16 that had > 10
addresses scanning.  The highest ratio was about 20 machines in a
single /26.  I reported that, never heard back but the addresses
shortly disappeared from my list.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand