On Wed, Feb 06, 2002 at 11:39:56AM -0500, McCammon, Keith wrote: > This certainly doesn't look like any of the well-known scripts that I've > seen in recent months. In fact, if you look at the timestamps, it seems > likely that this was done manually. Look at the different tools/methods > used to probe the system, and then look at the gaps between them. > Either a very odd script, or someone with too much time on their hands. > > Do you happen to have any event correlation software in place that might > tell you if this fellow has been caught poking around prior to this > incident? > > Cheers > > Keith According to my Snort logs this was the first time this fellow got into that particular subnet. We do not have any centralised snort box for our /16 net yet so this is just for a /24. As I mentioned in my first mail there must be a truckload of traffic that Snort didn't pick up since we're only using the default ruleset plus a few custom rules to pick up the ftp and printer scans. But why did he first run some cmd.exe stuff and a few minutes later do an portscan? I just don't get it, or are those skriptkiddies realy that eherm... stupid? Are you guys getting any ICMP superscan Echo in your Snort logs? Since I wrote the rule (brag, brag, brag) it would be fun to know if folks are using it or if it triggers to much false alarms. The ICMP superscan Echoes I get doeas nearly all originate from dialups or *dsl accounts. That make me believe that SuperScan is the only tool (or one of very few) that uses a payload of eight zeroes in it's ICMP Echo Requests. /Johan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 11:05:51 PST