Nmap Announce mailing list archives

Intrusion Detection was Detected NMAP scan

From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Wed, 6 Jan 1999 15:51:03 -0800
I hope you don't think this is too far off topic.

I'm looking for a script or program that will do the following:

1.      Extract UNIX syslog by source ip address.
2.      Do a nslookup.
3.      Do a "whois x.x.x.x () whois arin net. Do further queries to
apnic.net or ripe.net if necessary.
4.      Traceroute source ip address
5.      Using the whois, traceroute and nslookup information list email
addresses. Plus abuse@domains etc.
6.      Merge all the information into a nice neat file to be mailed.

If someone does not already have something like this I'll write it.

With the "serious" scans/attempts I do this manually. Note this example
is a "strong" access list on a Cisco router logged to syslog
http://www.pasadena.net/cisco/secure.html

Here is a sample of what I normally send out:

-----------------------------------
To: abuse@domain, userINwhois@domain, security@domain

Subject: Network Security Violation - 123.24.104.81

We detected the following break in attempts from your network.

Please do what is necessary to stop these attempts:

Date   Time (PST)                                                 Source
Port      Destination Port
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - 
Jan  6 08:32:22.836 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(6280) -> 169.254.104.135(23), 1 packet
Jan  6 08:38:13.938 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(6280) -> 169.254.104.135(23), 1 packet
Jan  6 08:32:28.101 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(7086) -> 169.254.104.135(80), 1 packet
Jan  6 08:32:32.881 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(8309) -> 169.254.104.135(143), 1 packet
Jan  6 08:32:36.710 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(8319) -> 169.254.104.133(143), 1 packet
Jan  6 08:32:39.006 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(9116) -> 169.254.104.135(110), 1 packet
Jan  6 08:32:40.050 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(9377) -> 169.254.104.133(110), 1 packet


nslookup 123.24.104.81

Name:    dumbhacker.xxxxxxx.ch
Address: 123.24.104.81


whois 123.24.104.81 () whois ripe net
[joshua.ripe.net]

% Rights restricted by copyright. See
http://www.ripe.net/db/dbcopyright.html

inetnum:     123.24.104.0 - 123.24.104.255
netname:     SFA-HRC
descr:       technologie SA
descr:       Renens, Switzerland
country:     CH
admin-c:     JD10-RIPE
tech-c:      ML1106
status:      ASSIGNED PA
changed:     peter.zopfi () xxxxxxx ch 980414
source:      RIPE

route:       192.141.0.0/16
descr:       CH-xxxxxx-970513
origin:      AS6730
mnt-by:      AS6730-MNT
changed:     markus () xxxxxxx ch 980113
source:      RIPE

person:      Jean-Marc Dupuis
address:     Rue du Lac 18
address:     CH-1020 Renens
address:     Switzerland
phone:       +41 21 635 8523
fax-no:      +41 21 634 8742
e-mail:      dupuis () xxxxxxx ch
nic-hdl:     JD10-RIPE
changed:     noc () xxxxxxx ch 961211
source:      RIPE

person:      Ludovic Moreau
address:     Communications
address:     Av. des Baumettes 3
address:     CH-1020 Renens
address:     Switzerland
phone:       +41 21 632 9363
fax-no:      +41 21 632 9364
e-mail:      moreau () xxxxxxx ch
nic-hdl:     ML1106
changed:     stalder () xxxxxxx ch 960811
source:      RIPE


traceroute to 123.24.104.81 (123.24.104.81), 30 hops max, 40 byte
packets
 1  netgwb (205.227.188.1)  6 ms  5 ms  4 ms
 2  s8-3.oakland-cr2.bbnplanet.net (4.0.68.77)  12 ms  10 ms  9 ms
 3  f0-0.oakland-br1.bbnplanet.net (4.0.16.1)  12 ms  12 ms  10 ms
 4  h2-0-0.paloalto-br1.bbnplanet.net (4.0.1.61)  16 ms  12 ms  11 ms
 5  p2-0.paloalto-nbr1.bbnplanet.net (4.0.2.193)  13 ms  12 ms  11 ms
 6  p6-0-0.paix.bbnplanet.net (4.0.1.50)  13 ms  13 ms  12 ms
 7  Fddi11-0-0.BR1.PAO1.Alter.NET (137.39.250.245)  14 ms  15 ms  12 ms
 8  109.ATM2-0.XR2.PAO1.ALTER.NET (146.188.148.102)  15 ms  14 ms  12 ms
 9  188.ATM2-0.TR2.SCL1.ALTER.NET (146.188.147.130)  15 ms  15 ms  14 ms
10  107.ATM6-0.TR2.EWR1.ALTER.NET (146.188.137.69)  84 ms  83 ms  82 ms
11  296.ATM7-0.XR2.NYC1.ALTER.NET (146.188.178.237)  84 ms  89 ms  85 ms
12  194.ATM5-0-0.GW1.NYC5.ALTER.NET (146.188.177.233)  88 ms  85 ms  84
ms
13  321.ATM4-0-0.BR2.NYC5.Alter.Net (137.39.30.110)  89 ms  85 ms  86 ms
14  225.ATM8-0-0.CR2.ZUR3.Alter.Net (146.188.6.102)  193 ms  191 ms  189
ms
15  312.ATM2-0-0.GW2.ZUR3.Alter.Net (146.188.6.62)  192 ms  193 ms  188
ms
16  gw.customer.ALTER.NET (136.188.33.194)  423 ms  483 ms  512 ms
17  192.141.225.105 (192.141.225.105)  509 ms  655 ms  691 ms
18  192.141.240.206 (192.141.240.206)  661 ms  466 ms  399 ms
19  xxxxxxx-renens.xxxxxxx.ch (192.141.240.62)  355 ms  332 ms  412 ms
20  123.xxxxxxx.ch (192.141.26.2)  352 ms  363 ms  305 ms
21  1234.xxxxxxx.ch (192.246.108.1)  308 ms  383 ms  411 ms
22  123456.xxxxxxx.ch (192.246.108.80)  600 ms  430 ms  737 ms
23  123.24.104.2 (123.24.104.2)  439 ms  548 ms  489 ms
24  123.24.104.81 (123.24.104.81)  732 ms  536 ms  625 ms


-----------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


        ----------
        From:  Lance Spitzner [SMTP:spitzner () dimension net]
        Sent:  Wednesday, January 06, 1999 3:16 PM
        To:  Lamont Granquist
        Cc:  David G. Andersen; joff () newmonics com; Frank W. Keeney;
'nmap-hackers () insecure org'
        Subject:  RE: Detected NMAP scan

        On Wed, 6 Jan 1999, Lamont Granquist wrote:

        > Also, I've been noticing that while the script kiddies tend to
use
        > something like mscan and really pound on your machine that
there are some
        > more sophisticated people out there who are portscanning for
specific
        > services and are not scanning over a range.  Therefore any of
these
        > detection methods that rely on X number of hits to closed
ports in Y time
        > units is going to fail to stop them. 

        I agree with you fully on this.  I've done quite a few
firewalls.  I set these
        up for automated intrusion detection, listening on specific
ports, such as
        imap, pop3, zone transfers, http, etc.  If your interested,
check it out at
        http://www.enteract.com/~lspitz/intrusion.html

        Lance Spitzner
        http://www.enteract.com/~lspitz
        Internetworking & Security Engineer
        Dimension Enterprises Inc
Current thread:

Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan David G. Andersen (Jan 06)
  - Re: Intrusion Detection was Detected NMAP scan Matthew Franz (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan Philip Ehrens (Jan 06)
- <Possible follow-ups>
- Re: Intrusion Detection was Detected NMAP scan 'Philip Ehrens' (Jan 06)
- RE: Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 07)