I am trying to make definitions for suspicious network activity
events that are relatively easy to classify. A formal definition
for a sweep might be as follows:
From a portion of logged packet-headers;
1 or more unique source-addresses in the same (low level) netblock
& 2 or more unique destination addresses in the same (low level) netblock
& 1 unique destination-port
& Only SYN flags
------------------------------------------------------
= Sweep after a service on the unique destination-port
Example:
date source port dest port flags
2001.05.30 10:46:00 x.y.150.72 3077 a.b.216.34 111 S
2001.05.30 10:46:00 x.y.150.72 3078 a.b.216.35 111 S
2001.05.30 10:46:00 x.y.150.72 3079 a.b.216.36 111 S
2001.05.30 10:46:00 x.y.150.72 3084 a.b.216.40 111 S
2001.05.30 10:46:00 x.y.150.72 3085 a.b.216.41 111 S
2001.05.30 10:46:00 x.y.150.72 3086 a.b.216.42 111 S
2001.05.30 10:58:00 x.y.152.144 15087 a.b.216.43 111 S
2001.05.30 10:58:00 x.y.152.144 15088 a.b.216.44 111 S
2001.05.30 10:58:00 x.y.152.144 15089 a.b.216.45 111 S
2001.05.30 10:58:00 x.y.152.144 15090 a.b.216.46 111 S
2001.05.30 10:58:00 x.y.152.144 15091 a.b.216.47 111 S
2001.05.30 10:58:00 x.y.152.144 15104 a.b.216.60 111 S
2001.05.30 10:58:00 x.y.152.144 15105 a.b.216.61 111 S
2001.05.30 10:58:00 x.y.152.144 15106 a.b.216.62 111 S
2001.05.30 10:58:00 x.y.152.144 15107 a.b.216.63 111 S
Following the definition above, this would be a "Sweep after SunRPC"
given that x.y.150.72 and x.y.152.144 is contained in the same netblock.
Has anyone else made similar formal definitions for other types of activity?
Any input is appreciated!
--
Jostein Trondal - System Sikkerhet
jostein.trondalat_private
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 12:28:08 PDT