Firewall Wizards mailing list archives
RE: Help me interpret these log entries....
From: "Matt Wagner" <miguknom () hotmail com>
Date: Tue, 07 Mar 2006 17:04:39 -0700
This is likely an idle scan. The original write-up on this kind of attack can be found here:
http://wiki.hping.org/8The source IP address that you see isn't really the attacker. The information in your logs is virtually useless, unless you own the idle system used in the scan.
Here are a few general, but imperfect guidelines about source and destination IP address and port counts that might be of use to you. I use them for preliminary automated analysis in my correlation system.
Src IPs Src Ports Dest IPs Dest Ports Type1 Many Many 1 (e.g. pt 80) Scanning for favorite (web) exploit. Many Many Many 1 Same but distributed. 1 Many 1 Many Attack on 1 system (or your sys is infected)
Many 1 Many Many Idle ScanMany 1 1 or Many Many DoS, smurf, etc
Of course, ICMP sweeps will be a little different (types & codes vs. ports). Hope that is of some use.
Matt Wagner CISSP, CCNP, CCSP, MCSE _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help me interpret these log entries.... Bob (Mar 07)
- RE: Help me interpret these log entries.... Matt Wagner (Mar 07)
- RE: Help me interpret these log entries.... Mathew Want (Mar 07)
- RE: Help me interpret these log entries.... Paul Melson (Mar 08)