Penetration Testing mailing list archives
Looking for formal definition of suspicious network activity even ts
From: "Jostein S. Trondal" <jostein.trondal () sikkerhet no>
Date: Thu, 31 May 2001 10:02:07 +0200
I am trying to make definitions for suspicious network activity events that are relatively easy to classify. A formal definition for a sweep might be as follows:
From a portion of logged packet-headers;
1 or more unique source-addresses in the same (low level) netblock & 2 or more unique destination addresses in the same (low level) netblock & 1 unique destination-port & Only SYN flags ------------------------------------------------------ = Sweep after a service on the unique destination-port Example: date source port dest port flags 2001.05.30 10:46:00 x.y.150.72 3077 a.b.216.34 111 S 2001.05.30 10:46:00 x.y.150.72 3078 a.b.216.35 111 S 2001.05.30 10:46:00 x.y.150.72 3079 a.b.216.36 111 S 2001.05.30 10:46:00 x.y.150.72 3084 a.b.216.40 111 S 2001.05.30 10:46:00 x.y.150.72 3085 a.b.216.41 111 S 2001.05.30 10:46:00 x.y.150.72 3086 a.b.216.42 111 S 2001.05.30 10:58:00 x.y.152.144 15087 a.b.216.43 111 S 2001.05.30 10:58:00 x.y.152.144 15088 a.b.216.44 111 S 2001.05.30 10:58:00 x.y.152.144 15089 a.b.216.45 111 S 2001.05.30 10:58:00 x.y.152.144 15090 a.b.216.46 111 S 2001.05.30 10:58:00 x.y.152.144 15091 a.b.216.47 111 S 2001.05.30 10:58:00 x.y.152.144 15104 a.b.216.60 111 S 2001.05.30 10:58:00 x.y.152.144 15105 a.b.216.61 111 S 2001.05.30 10:58:00 x.y.152.144 15106 a.b.216.62 111 S 2001.05.30 10:58:00 x.y.152.144 15107 a.b.216.63 111 S Following the definition above, this would be a "Sweep after SunRPC" given that x.y.150.72 and x.y.152.144 is contained in the same netblock. Has anyone else made similar formal definitions for other types of activity? Any input is appreciated! -- Jostein Trondal - System Sikkerhet jostein.trondal () sikkerhet no
Current thread:
- Looking for formal definition of suspicious network activity even ts Jostein S. Trondal (May 31)