Penetration Testing mailing list archives
Re: Looking for formal definition of suspicious network activity events
From: Don Bailey <baileydl () mitre org>
Date: Fri, 01 Jun 2001 10:10:44 -0400
"Jostein S. Trondal" wrote:
I am trying to make definitions for suspicious network activity events that are relatively easy to classify. A formal definition for a sweep might be as follows: From a portion of logged packet-headers; 1 or more unique source-addresses in the same (low level) netblock & 2 or more unique destination addresses in the same (low level) netblock & 1 unique destination-port & Only SYN flags ------------------------------------------------------ = Sweep after a service on the unique destination-port
Good start, but my first concern here is that your definition does not take into account the myriad of different flags for scanning--NMAP for example, has plenty of options. Does your definition catch a FIN scan, etc.? Secondly, your threshold for what constitutes a service mapping or sweep (in this case, 2 or more unique destination addresses) is WAY to low and any automated heuristics would bog down your offline analysis with a flood of data. I'm curious as to what kind of false positives this might generate, too. And finally, this definition will be circumvented entirely by an automated yet distributed source sweep of your network's services. A time threshold might be be nice to include to take into account distributed network mappers, eg. multiple hosts in the same netblock all rpc scanned within 5-10 seconds of each other from different sources? Don -- Don Bailey Senior INFOSEC Engineer/Scientist Secure Information Technology The MITRE Corporation
Current thread:
- Re: Looking for formal definition of suspicious network activity events Torbjorn.Wictorin (Jun 01)
- <Possible follow-ups>
- Re: Looking for formal definition of suspicious network activity events Don Bailey (Jun 01)