Security Incidents mailing list archives
Re: Handling Scans.
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 13 Feb 2001 11:46:00 +1300
On Mon, 12 Feb 2001 11:30:35 -0600 abel wisman <abel () able-towers com> wrote:
This matter is interesting, and i was thinking about it upion reading the previous posting. As a shell/web host, the numbers of scans that pass by daily are staggering, certainly i would like to sit down and write to all isp's about their 'clients" doing this, however time is a elusive artivle nowadays. Has (in addition to the question already asked) anybody mae (perhaps) a automated system based on for instance iplog, snort or tripwire, where mail is generated to do this automatically?
I have a semi-automated system based on locally written perlscipts which uses argus to detect scans, and some cgi scripts that allow me to quickly look up contacts and construct mail messages. I am thinking of having the script that records the scans automatically do a whois. With this setup I can report a scan in about two minutes, assuming contact information is reasonably straight forward. I have just about given up reporting scans from windows trojans, currently I know of nearly 200 addresses (mostly in the same /8 address space as us) which are engaging on slow scans of udp 137 or tcp 524. What I have been doing recently is picking a batch of reports from a single site and firing off a quick note saying "I think the following machines may be infected with a worm..." When I last looked at my list there were a couple of /16 that had > 10 addresses scanning. The highest ratio was about 20 machines in a single /26. I reported that, never heard back but the addresses shortly disappeared from my list. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. abel wisman (Feb 12)
- Re: Handling Scans. Bill Munger (Feb 12)
- Re: Handling Scans. E, M (Feb 13)
- Re: Handling Scans. Russell Fulton (Feb 13)
- Re: Handling Scans. deviate (Feb 13)
- Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Joe Shaw (Feb 13)
- Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- <Possible follow-ups>
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
(Thread continues...)
- Re: Handling Scans. abel wisman (Feb 12)