Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Determining when something is NOT random

From: "Martins, Fernando (Lisbon)" <FMartins () pt imshealth com>
Date: Mon, 24 Jul 2000 13:08:29 +0200
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi2all

I dont know if there is a tool for that, but i think that what it takes is
seeing if, in that attack period, those 47 systems were used randomly of
not. Is there a indentified standard generation of the packets from those
IP's? Think as reading a poem and listen to the rythm ... is that possibel
create an algoritm with the IP's of the packet generation caught in the
logs? Must be a tool for analise the logs and compare them with existent and
non-existent algoritms, or try to build a 'rythm' of IP's and identify the
used algoritm. If some logical sequence is provided, the algoritm is
identified, and its not a random generation, if not it is random. In both
cases, the IP must be checked to see where it did came from, and make a more
tight list of IPs that match the rythm. 

If the output of all this is the same 47 systems list, almost sure that is
random generation (or this all tool/idea sux eheh), if not, at least you
resume the list to the systems used in the attack.
If you find an algoritm for this packet generation, you also more easelly
can find the tool used in the attack.

It's monday morning, i can still have my brain messed up from the last
weekend, but does it makes sense at least? (please say yes eheh)

Kind Regards
Fernando Martins
fmartins () pt imshealth com
http://www.pt.imshealth.com


-----Original Message-----
From: Lance Spitzner [SMTP:lance () spitzner net]
Sent: Monday, July 24, 2000 5:13 AM
To:   ids () uow edu au
Subject:      IDS: Determining when something is NOT random

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--------------------------------------------------------------------------
---
Are there any tools/techniques to determining when something
is NOT random.

For example, I have a system that was hit with ICMP_ECHO 
packets from 47 systems within two hours.  Based on the
packets, I can determine that the same tool was used
to generate them.  What I want to determine is if the 47
source systems were randomly generated by the tool (as 
often done by Syn Flooding tools) or if the 47 systems 
involved were not randomly generated.  If the 47 Src systems 
were NOT randomly gerenerated, this may indicate that all 47
systems are actuall systems used in the 'attack'.

Any tool that can take a list of IP addresses and determine
if they are random or not?

Thanks!

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Previous By Date Next
Previous By Thread Next

Current thread: