"Jostein S. Trondal" wrote: > > I am trying to make definitions for suspicious network activity > events that are relatively easy to classify. A formal definition > for a sweep might be as follows: > > From a portion of logged packet-headers; > > 1 or more unique source-addresses in the same (low level) netblock > & 2 or more unique destination addresses in the same (low level) netblock > & 1 unique destination-port > & Only SYN flags > ------------------------------------------------------ > = Sweep after a service on the unique destination-port Good start, but my first concern here is that your definition does not take into account the myriad of different flags for scanning--NMAP for example, has plenty of options. Does your definition catch a FIN scan, etc.? Secondly, your threshold for what constitutes a service mapping or sweep (in this case, 2 or more unique destination addresses) is WAY to low and any automated heuristics would bog down your offline analysis with a flood of data. I'm curious as to what kind of false positives this might generate, too. And finally, this definition will be circumvented entirely by an automated yet distributed source sweep of your network's services. A time threshold might be be nice to include to take into account distributed network mappers, eg. multiple hosts in the same netblock all rpc scanned within 5-10 seconds of each other from different sources? Don -- Don Bailey Senior INFOSEC Engineer/Scientist Secure Information Technology The MITRE Corporation
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:48:39 PDT