Looking for formal definition of suspicious network activity even ts

["Jostein S. Trondal" <jostein.trondal () sikkerhet no>]

I am trying to make definitions for suspicious network activity
events that are relatively easy to classify. A formal definition
for a sweep might be as follows:

> From a portion of logged packet-headers;

    1 or more unique source-addresses in the same (low level) netblock
&   2 or more unique destination addresses in the same (low level) netblock
&   1 unique destination-port
&   Only SYN flags
------------------------------------------------------
= Sweep after a service on the unique destination-port

Example:

date                 source      port     dest        port  flags
2001.05.30 10:46:00  x.y.150.72   3077    a.b.216.34  111   S
2001.05.30 10:46:00  x.y.150.72   3078    a.b.216.35  111   S
2001.05.30 10:46:00  x.y.150.72   3079    a.b.216.36  111   S
2001.05.30 10:46:00  x.y.150.72   3084    a.b.216.40  111   S
2001.05.30 10:46:00  x.y.150.72   3085    a.b.216.41  111   S
2001.05.30 10:46:00  x.y.150.72   3086    a.b.216.42  111   S
2001.05.30 10:58:00  x.y.152.144 15087    a.b.216.43  111   S
2001.05.30 10:58:00  x.y.152.144 15088    a.b.216.44  111   S
2001.05.30 10:58:00  x.y.152.144 15089    a.b.216.45  111   S
2001.05.30 10:58:00  x.y.152.144 15090    a.b.216.46  111   S
2001.05.30 10:58:00  x.y.152.144 15091    a.b.216.47  111   S
2001.05.30 10:58:00  x.y.152.144 15104    a.b.216.60  111   S
2001.05.30 10:58:00  x.y.152.144 15105    a.b.216.61  111   S
2001.05.30 10:58:00  x.y.152.144 15106    a.b.216.62  111   S
2001.05.30 10:58:00  x.y.152.144 15107    a.b.216.63  111   S

Following the definition above, this would be a "Sweep after SunRPC"
given that x.y.150.72 and x.y.152.144 is contained in the same netblock.

Has anyone else made similar formal definitions for other types of activity?

Any input is appreciated!



-- 
Jostein Trondal - System Sikkerhet
 jostein.trondal () sikkerhet no