Re: Scan that doesn't make sense

[Johan Augustsson <johan.augustsson () adm gu se>]

On Wed, Feb 06, 2002 at 11:39:56AM -0500, McCammon, Keith wrote:
> This certainly doesn't look like any of the well-known scripts that I've
> seen in recent months.  In fact, if you look at the timestamps, it seems
> likely that this was done manually.  Look at the different tools/methods
> used to probe the system, and then look at the gaps between them.
> Either a very odd script, or someone with too much time on their hands.
>
> Do you happen to have any event correlation software in place that might
> tell you if this fellow has been caught poking around prior to this
> incident?
>
> Cheers
>
> Keith


According to my Snort logs this was the first time this fellow got into
that particular subnet. We do not have any centralised snort box for our
/16 net yet so this is just for a /24.

As I mentioned in my first mail there must be a truckload of traffic
that Snort didn't pick up since we're only using the default ruleset
plus a few custom rules to pick up the ftp and printer scans.

But why did he first run some cmd.exe stuff and a few minutes later do
an portscan? I just don't get it, or are those skriptkiddies realy that
eherm... stupid?

Are you guys getting any ICMP superscan Echo in your Snort logs? Since I
wrote the rule (brag, brag, brag) it would be fun to know if folks are
using it or if it triggers to much false alarms. The ICMP superscan
Echoes I get doeas nearly all originate from dialups or *dsl accounts.
That make me believe that SuperScan is the only tool (or one of very
few) that uses a payload of eight zeroes in it's ICMP Echo Requests.

/Johan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com