Re: Looking for formal definition of suspicious network activity events

[Don Bailey <baileydl () mitre org>]

"Jostein S. Trondal" wrote:
> I am trying to make definitions for suspicious network activity
> events that are relatively easy to classify. A formal definition
> for a sweep might be as follows:
>
> From a portion of logged packet-headers;
>
>     1 or more unique source-addresses in the same (low level) netblock
> &   2 or more unique destination addresses in the same (low level) netblock
> &   1 unique destination-port
> &   Only SYN flags
> ------------------------------------------------------
> = Sweep after a service on the unique destination-port

Good start, but my first concern here is that your definition does not
take into account the myriad of different flags for scanning--NMAP for
example, has plenty of options.  Does your definition catch a FIN scan,
etc.?

Secondly, your threshold for what constitutes a service mapping or sweep
(in this case, 2 or more unique destination addresses) is WAY to low and
any automated heuristics would bog down your offline analysis with a
flood of data.  I'm curious as to what kind of false positives this
might generate, too.

And finally, this definition will be circumvented entirely by an
automated yet distributed source sweep of your network's services.  A
time threshold might be be nice to include to take into account
distributed network mappers, eg. multiple hosts in the same netblock all
rpc scanned within 5-10 seconds of each other from different sources?

Don
--
Don Bailey
Senior INFOSEC Engineer/Scientist
Secure Information Technology
The MITRE Corporation