Nmap Announce mailing list archives
Intrusion Detection was Detected NMAP scan
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Wed, 6 Jan 1999 15:51:03 -0800
I hope you don't think this is too far off topic. I'm looking for a script or program that will do the following: 1. Extract UNIX syslog by source ip address. 2. Do a nslookup. 3. Do a "whois x.x.x.x () whois arin net. Do further queries to apnic.net or ripe.net if necessary. 4. Traceroute source ip address 5. Using the whois, traceroute and nslookup information list email addresses. Plus abuse@domains etc. 6. Merge all the information into a nice neat file to be mailed. If someone does not already have something like this I'll write it. With the "serious" scans/attempts I do this manually. Note this example is a "strong" access list on a Cisco router logged to syslog http://www.pasadena.net/cisco/secure.html Here is a sample of what I normally send out: ----------------------------------- To: abuse@domain, userINwhois@domain, security@domain Subject: Network Security Violation - 123.24.104.81 We detected the following break in attempts from your network. Please do what is necessary to stop these attempts: Date Time (PST) Source Port Destination Port - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Jan 6 08:32:22.836 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(6280) -> 169.254.104.135(23), 1 packet Jan 6 08:38:13.938 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(6280) -> 169.254.104.135(23), 1 packet Jan 6 08:32:28.101 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(7086) -> 169.254.104.135(80), 1 packet Jan 6 08:32:32.881 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(8309) -> 169.254.104.135(143), 1 packet Jan 6 08:32:36.710 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(8319) -> 169.254.104.133(143), 1 packet Jan 6 08:32:39.006 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(9116) -> 169.254.104.135(110), 1 packet Jan 6 08:32:40.050 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp 123.24.104.81(9377) -> 169.254.104.133(110), 1 packet nslookup 123.24.104.81 Name: dumbhacker.xxxxxxx.ch Address: 123.24.104.81 whois 123.24.104.81 () whois ripe net [joshua.ripe.net] % Rights restricted by copyright. See http://www.ripe.net/db/dbcopyright.html inetnum: 123.24.104.0 - 123.24.104.255 netname: SFA-HRC descr: technologie SA descr: Renens, Switzerland country: CH admin-c: JD10-RIPE tech-c: ML1106 status: ASSIGNED PA changed: peter.zopfi () xxxxxxx ch 980414 source: RIPE route: 192.141.0.0/16 descr: CH-xxxxxx-970513 origin: AS6730 mnt-by: AS6730-MNT changed: markus () xxxxxxx ch 980113 source: RIPE person: Jean-Marc Dupuis address: Rue du Lac 18 address: CH-1020 Renens address: Switzerland phone: +41 21 635 8523 fax-no: +41 21 634 8742 e-mail: dupuis () xxxxxxx ch nic-hdl: JD10-RIPE changed: noc () xxxxxxx ch 961211 source: RIPE person: Ludovic Moreau address: Communications address: Av. des Baumettes 3 address: CH-1020 Renens address: Switzerland phone: +41 21 632 9363 fax-no: +41 21 632 9364 e-mail: moreau () xxxxxxx ch nic-hdl: ML1106 changed: stalder () xxxxxxx ch 960811 source: RIPE traceroute to 123.24.104.81 (123.24.104.81), 30 hops max, 40 byte packets 1 netgwb (205.227.188.1) 6 ms 5 ms 4 ms 2 s8-3.oakland-cr2.bbnplanet.net (4.0.68.77) 12 ms 10 ms 9 ms 3 f0-0.oakland-br1.bbnplanet.net (4.0.16.1) 12 ms 12 ms 10 ms 4 h2-0-0.paloalto-br1.bbnplanet.net (4.0.1.61) 16 ms 12 ms 11 ms 5 p2-0.paloalto-nbr1.bbnplanet.net (4.0.2.193) 13 ms 12 ms 11 ms 6 p6-0-0.paix.bbnplanet.net (4.0.1.50) 13 ms 13 ms 12 ms 7 Fddi11-0-0.BR1.PAO1.Alter.NET (137.39.250.245) 14 ms 15 ms 12 ms 8 109.ATM2-0.XR2.PAO1.ALTER.NET (146.188.148.102) 15 ms 14 ms 12 ms 9 188.ATM2-0.TR2.SCL1.ALTER.NET (146.188.147.130) 15 ms 15 ms 14 ms 10 107.ATM6-0.TR2.EWR1.ALTER.NET (146.188.137.69) 84 ms 83 ms 82 ms 11 296.ATM7-0.XR2.NYC1.ALTER.NET (146.188.178.237) 84 ms 89 ms 85 ms 12 194.ATM5-0-0.GW1.NYC5.ALTER.NET (146.188.177.233) 88 ms 85 ms 84 ms 13 321.ATM4-0-0.BR2.NYC5.Alter.Net (137.39.30.110) 89 ms 85 ms 86 ms 14 225.ATM8-0-0.CR2.ZUR3.Alter.Net (146.188.6.102) 193 ms 191 ms 189 ms 15 312.ATM2-0-0.GW2.ZUR3.Alter.Net (146.188.6.62) 192 ms 193 ms 188 ms 16 gw.customer.ALTER.NET (136.188.33.194) 423 ms 483 ms 512 ms 17 192.141.225.105 (192.141.225.105) 509 ms 655 ms 691 ms 18 192.141.240.206 (192.141.240.206) 661 ms 466 ms 399 ms 19 xxxxxxx-renens.xxxxxxx.ch (192.141.240.62) 355 ms 332 ms 412 ms 20 123.xxxxxxx.ch (192.141.26.2) 352 ms 363 ms 305 ms 21 1234.xxxxxxx.ch (192.246.108.1) 308 ms 383 ms 411 ms 22 123456.xxxxxxx.ch (192.246.108.80) 600 ms 430 ms 737 ms 23 123.24.104.2 (123.24.104.2) 439 ms 548 ms 489 ms 24 123.24.104.81 (123.24.104.81) 732 ms 536 ms 625 ms ----------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frank Keeney, Network Services, Home Savings of America +1 626-814-5080 mailto:fkeeney () hsa com +++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------- From: Lance Spitzner [SMTP:spitzner () dimension net] Sent: Wednesday, January 06, 1999 3:16 PM To: Lamont Granquist Cc: David G. Andersen; joff () newmonics com; Frank W. Keeney; 'nmap-hackers () insecure org' Subject: RE: Detected NMAP scan On Wed, 6 Jan 1999, Lamont Granquist wrote: > Also, I've been noticing that while the script kiddies tend to use > something like mscan and really pound on your machine that there are some > more sophisticated people out there who are portscanning for specific > services and are not scanning over a range. Therefore any of these > detection methods that rely on X number of hits to closed ports in Y time > units is going to fail to stop them. I agree with you fully on this. I've done quite a few firewalls. I set these up for automated intrusion detection, listening on specific ports, such as imap, pop3, zone transfers, http, etc. If your interested, check it out at http://www.enteract.com/~lspitz/intrusion.html Lance Spitzner http://www.enteract.com/~lspitz Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan David G. Andersen (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan Matthew Franz (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan Philip Ehrens (Jan 06)
- <Possible follow-ups>
- Re: Intrusion Detection was Detected NMAP scan 'Philip Ehrens' (Jan 06)
- RE: Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 07)
- Re: Intrusion Detection was Detected NMAP scan David G. Andersen (Jan 06)