Nmap Announce mailing list archives

Re: Intrusion Detection was Detected NMAP scan

From: "David G. Andersen" <danderse () cs utah edu>
Date: Wed, 6 Jan 1999 17:20:25 -0700 (MST)


I can definitely see the utility of this.  You may wish to talk to the 
folks at all.net - I know they have at least some of this
functionality (the doing a whois, sending the nastygram) done
when you annoy their telnet daemon, etc.

(http://www.all.net/)

I'm not sure if this is a part of their deception toolkit or not - I
haven't really kept up to date on their work.

   -Dave

Lo and Behold, Frank W. Keeney said:

I hope you don't think this is too far off topic.

I'm looking for a script or program that will do the following:

1.    Extract UNIX syslog by source ip address.
2.    Do a nslookup.
3.    Do a "whois x.x.x.x () whois arin net. Do further queries to
apnic.net or ripe.net if necessary.
4.    Traceroute source ip address
5.    Using the whois, traceroute and nslookup information list email
addresses. Plus abuse@domains etc.
6.    Merge all the information into a nice neat file to be mailed.

If someone does not already have something like this I'll write it.

With the "serious" scans/attempts I do this manually. Note this example
is a "strong" access list on a Cisco router logged to syslog
http://www.pasadena.net/cisco/secure.html

Here is a sample of what I normally send out:

-----------------------------------
To: abuse@domain, userINwhois@domain, security@domain

Subject: Network Security Violation - 123.24.104.81

We detected the following break in attempts from your network.

Please do what is necessary to stop these attempts:

Date   Time (PST)                                                 Source
Port      Destination Port
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - 
Jan  6 08:32:22.836 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(6280) -> 169.254.104.135(23), 1 packet
Jan  6 08:38:13.938 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(6280) -> 169.254.104.135(23), 1 packet
Jan  6 08:32:28.101 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(7086) -> 169.254.104.135(80), 1 packet
Jan  6 08:32:32.881 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(8309) -> 169.254.104.135(143), 1 packet
Jan  6 08:32:36.710 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(8319) -> 169.254.104.133(143), 1 packet
Jan  6 08:32:39.006 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(9116) -> 169.254.104.135(110), 1 packet
Jan  6 08:32:40.050 PST: %SEC-6-IPACCESSLOGP: list 101 denied tcp
123.24.104.81(9377) -> 169.254.104.133(110), 1 packet


nslookup 123.24.104.81

Name:    dumbhacker.xxxxxxx.ch
Address: 123.24.104.81


whois 123.24.104.81 () whois ripe net
[joshua.ripe.net]

% Rights restricted by copyright. See
http://www.ripe.net/db/dbcopyright.html

inetnum:     123.24.104.0 - 123.24.104.255
netname:     SFA-HRC
descr:       technologie SA
descr:       Renens, Switzerland
country:     CH
admin-c:     JD10-RIPE
tech-c:      ML1106
status:      ASSIGNED PA
changed:     peter.zopfi () xxxxxxx ch 980414
source:      RIPE

route:       192.141.0.0/16
descr:       CH-xxxxxx-970513
origin:      AS6730
mnt-by:      AS6730-MNT
changed:     markus () xxxxxxx ch 980113
source:      RIPE

person:      Jean-Marc Dupuis
address:     Rue du Lac 18
address:     CH-1020 Renens
address:     Switzerland
phone:       +41 21 635 8523
fax-no:      +41 21 634 8742
e-mail:      dupuis () xxxxxxx ch
nic-hdl:     JD10-RIPE
changed:     noc () xxxxxxx ch 961211
source:      RIPE

person:      Ludovic Moreau
address:     Communications
address:     Av. des Baumettes 3
address:     CH-1020 Renens
address:     Switzerland
phone:       +41 21 632 9363
fax-no:      +41 21 632 9364
e-mail:      moreau () xxxxxxx ch
nic-hdl:     ML1106
changed:     stalder () xxxxxxx ch 960811
source:      RIPE


traceroute to 123.24.104.81 (123.24.104.81), 30 hops max, 40 byte
packets
 1  netgwb (205.227.188.1)  6 ms  5 ms  4 ms
 2  s8-3.oakland-cr2.bbnplanet.net (4.0.68.77)  12 ms  10 ms  9 ms
 3  f0-0.oakland-br1.bbnplanet.net (4.0.16.1)  12 ms  12 ms  10 ms
 4  h2-0-0.paloalto-br1.bbnplanet.net (4.0.1.61)  16 ms  12 ms  11 ms
 5  p2-0.paloalto-nbr1.bbnplanet.net (4.0.2.193)  13 ms  12 ms  11 ms
 6  p6-0-0.paix.bbnplanet.net (4.0.1.50)  13 ms  13 ms  12 ms
 7  Fddi11-0-0.BR1.PAO1.Alter.NET (137.39.250.245)  14 ms  15 ms  12 ms
 8  109.ATM2-0.XR2.PAO1.ALTER.NET (146.188.148.102)  15 ms  14 ms  12 ms
 9  188.ATM2-0.TR2.SCL1.ALTER.NET (146.188.147.130)  15 ms  15 ms  14 ms
10  107.ATM6-0.TR2.EWR1.ALTER.NET (146.188.137.69)  84 ms  83 ms  82 ms
11  296.ATM7-0.XR2.NYC1.ALTER.NET (146.188.178.237)  84 ms  89 ms  85 ms
12  194.ATM5-0-0.GW1.NYC5.ALTER.NET (146.188.177.233)  88 ms  85 ms  84
ms
13  321.ATM4-0-0.BR2.NYC5.Alter.Net (137.39.30.110)  89 ms  85 ms  86 ms
14  225.ATM8-0-0.CR2.ZUR3.Alter.Net (146.188.6.102)  193 ms  191 ms  189
ms
15  312.ATM2-0-0.GW2.ZUR3.Alter.Net (146.188.6.62)  192 ms  193 ms  188
ms
16  gw.customer.ALTER.NET (136.188.33.194)  423 ms  483 ms  512 ms
17  192.141.225.105 (192.141.225.105)  509 ms  655 ms  691 ms
18  192.141.240.206 (192.141.240.206)  661 ms  466 ms  399 ms
19  xxxxxxx-renens.xxxxxxx.ch (192.141.240.62)  355 ms  332 ms  412 ms
20  123.xxxxxxx.ch (192.141.26.2)  352 ms  363 ms  305 ms
21  1234.xxxxxxx.ch (192.246.108.1)  308 ms  383 ms  411 ms
22  123456.xxxxxxx.ch (192.246.108.80)  600 ms  430 ms  737 ms
23  123.24.104.2 (123.24.104.2)  439 ms  548 ms  489 ms
24  123.24.104.81 (123.24.104.81)  732 ms  536 ms  625 ms


-----------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


      ----------
      From:  Lance Spitzner [SMTP:spitzner () dimension net]
      Sent:  Wednesday, January 06, 1999 3:16 PM
      To:  Lamont Granquist
      Cc:  David G. Andersen; joff () newmonics com; Frank W. Keeney;
'nmap-hackers () insecure org'
      Subject:  RE: Detected NMAP scan

      On Wed, 6 Jan 1999, Lamont Granquist wrote:

      > Also, I've been noticing that while the script kiddies tend to
use
      > something like mscan and really pound on your machine that
there are some
      > more sophisticated people out there who are portscanning for
specific
      > services and are not scanning over a range.  Therefore any of
these
      > detection methods that rely on X number of hits to closed
ports in Y time
      > units is going to fail to stop them. 

      I agree with you fully on this.  I've done quite a few
firewalls.  I set these
      up for automated intrusion detection, listening on specific
ports, such as
      imap, pop3, zone transfers, http, etc.  If your interested,
check it out at
      http://www.enteract.com/~lspitz/intrusion.html

      Lance Spitzner
      http://www.enteract.com/~lspitz
      Internetworking & Security Engineer
      Dimension Enterprises Inc


-- 
work: danderse () cs utah edu                     me:  angio () pobox com
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group

Current thread:

Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan David G. Andersen (Jan 06)
  - Re: Intrusion Detection was Detected NMAP scan Matthew Franz (Jan 06)
- Re: Intrusion Detection was Detected NMAP scan Philip Ehrens (Jan 06)
- <Possible follow-ups>
- Re: Intrusion Detection was Detected NMAP scan 'Philip Ehrens' (Jan 06)
- RE: Intrusion Detection was Detected NMAP scan Frank W. Keeney (Jan 07)