You can see some examples of these scans described in the result of Honeynet Project's "Scan Of The Month" 30: http://www.honeynet.org/scans/scan30/ The kind of packets generated by nmap scanning methods are well documented in this paper: http://www.securityfocus.com/guest/24226 And of course "THE" FAQ about firewall logs interpretation: http://www.robertgraham.com/pubs/firewall-seen.html (BTW this seems to be down as I write, but it is mirrored in several places on the Internet) Best, Daniele On Mon, 31 Jan 2005 16:30:11 -0600, Jeremy W. Chalfant <jeremy@private> wrote: > I suppose you could look for specific patterns like a burst of packets > from the same host targeting different ports on your server. Typically > a port scan will probe a number of well known ports like > 21,22,23,25,80,443,3389,8080 etc.... Look for these patterns in quick > succession. More than likely there is documentation and research on > this type of stuff, much more that I could tell you. > > A better bet is to look into programs like psad -- Port Scanning Attack > Detection Daemon -- http://www.cipherdyne.org/psad , or if you are > REALLY serious try prelude-ids -- http://www.prelude-ids.org or snort -- > http://www.snort.org. The last two not only have ways of monitoring > what crosses a network but also support log monitoring. > > Good luck with the project, let me know how it goes. > > Jeremy > > On Sat, 2005-01-29 at 18:18 +0000, Sujit wrote: > > Hi, > > > > thank you for replying to my earlier mail reagarding RH9 logs. > > > > as per the suggestion i used the command : > > > > iptables -t filter -I INPUT -j LOG > > > > essentially, i wanted it to log all the nmap scans i peformed. > > > > however, in this case the log entry in the /var/log/messages is: > > > > Jan 29 00:03:13 localhost kernel: IN=lo OUT= > > MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > > DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35825 DF PROTO=TCP > > SPT=32837 DPT=631 WINDOW=32767 RES=0x00 SYN URGP=0 > > > > though i get information about the particular packet in the log, how > > am i essentially going to tell whether i have performed a portscan/OS > > fingerprinting etc.? > > > > is there some other interpretation of these log messages so as to tell > > whether nmap did indeed perform a portscan, and on a particular port? > > > > if nmap is run, then is there a way to tell that a particular type of > > attack was indeed carried out on the system, by looking at the logs? > > > > Sujit. > > > > > > > > > > > > _______________________________________________ > > LogAnalysis mailing list > > LogAnalysis@private > > http://lists.shmoo.com/mailman/listinfo/loganalysis > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Feb 02 2005 - 06:22:36 PST