Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Scan of the week

From: lance () spitzner net (Lance Spitzner)
Date: Sat, 3 Jun 2000 11:41:56 -0500 (CDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
As several of you may know, I have started the
"Scan of the Week" program.  Last week was the
second week of posting scan signatures.  However,
we have not yet figured out the tool that created
the signatures, so I have kept them posted until
we (the security community) can figure it out.

Over the past two months various systems have
scanned my network for specific ports with the
following scan signature.  The signatures are 
similar enough for me to believe that the same
tool was used.   For more info on both the
"Scan of the Week" program and the actual sigs.
http://www.enteract.com/~lspitz/papers.html

An example of the signatures (this case, scan for 111)

04/17-06:02:32.401307 195.116.152.104:0 -> 172.16.1.107:111
TCP TTL:228 TOS:0x0 ID:30976 
**SF**** Seq: 0xCC410000   Ack: 0x0   Win: 0x200

04/17-06:02:32.402027 172.16.1.107:111 -> 195.116.152.104:0
TCP TTL:64 TOS:0x0 ID:6919  DF
**S***A* Seq: 0x77BA6506   Ack: 0xCC410001   Win: 0x7FB8
TCP Options => MSS: 536 
00 00                                            ..

04/17-06:02:33.139528 195.116.152.104:0 -> 172.16.1.101:111
TCP TTL:238 TOS:0x0 ID:44926 
****R*** Seq: 0xCC410001   Ack: 0x0   Win: 0x0

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Previous By Date Next
Previous By Thread Next

Current thread: