Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Help me interpret these log entries....

From: "Matt Wagner" <miguknom () hotmail com>
Date: Tue, 07 Mar 2006 17:04:39 -0700
This is likely an idle scan. The original write-up on this kind of attack can be found here: 

http://wiki.hping.org/8
The source IP address that you see isn't really the attacker. The information in your logs is virtually useless, unless you own the idle system used in the scan.
Here are a few general, but imperfect guidelines about source and destination IP address and port counts that might be of use to you. I use them for preliminary automated analysis in my correlation system. 

Src IPs    Src Ports        Dest IPs        Dest Ports        Type
1 Many Many 1 (e.g. pt 80) Scanning for favorite (web) exploit. Many Many Many 1 Same but distributed. 1 Many 1 Many Attack on 1 system (or your sys is infected) 
Many          1                Many              Many           Idle Scan
Many 1 1 or Many Many DoS, smurf, etc
Of course, ICMP sweeps will be a little different (types & codes vs. ports). Hope that is of some use. 

Matt Wagner
CISSP, CCNP, CCSP, MCSE


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: