Detecting portscans in ipflog.

Detecting portscans in ipflog.

Post by Tom Karlsso » Wed, 06 Dec 2000 04:00:00



Hello all,

I've recently started logging incoming tcp/udp that'll be rejected.
However, not all of the log entries makes sense. I've tried portscanning
myself with nmap, and it clearly shows a great deal of entries on numerous
ports (nothing like the entry showed below).

But, for instance. An entry like this:


b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

What is the above?. I mean, my guess is some kind of network scan, since
y.y.y.17, y.y.y.24 and y.y.y.60 have connection attempts almost at the
same time on unpriviledged ports (note, 17, 24, 60 are the only ones which
are logged). Any clues?

Are there any resources available on the web, that explains how to read
and understand ipf logs?

Thanks,

Friendly Regards
/TK

 
 
 

Detecting portscans in ipflog.

Post by Kovacs Rob » Thu, 07 Dec 2000 04:00:00


If I had to guess, I would say active ftp.

good luck,
robert


> Hello all,

> I've recently started logging incoming tcp/udp that'll be rejected.
> However, not all of the log entries makes sense. I've tried portscanning
> myself with nmap, and it clearly shows a great deal of entries on numerous
> ports (nothing like the entry showed below).

> But, for instance. An entry like this:


> b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

> b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

> b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

> b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

> b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

> b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

> What is the above?. I mean, my guess is some kind of network scan, since
> y.y.y.17, y.y.y.24 and y.y.y.60 have connection attempts almost at the
> same time on unpriviledged ports (note, 17, 24, 60 are the only ones which
> are logged). Any clues?

> Are there any resources available on the web, that explains how to read
> and understand ipf logs?

> Thanks,

> Friendly Regards
> /TK


 
 
 

Detecting portscans in ipflog.

Post by Kovacs Rob » Thu, 07 Dec 2000 04:00:00


I'm sorry, I did not realize the different ports on y.y.y.
It is something else then, of course.

r


> If I had to guess, I would say active ftp.

> good luck,
> robert


> > Hello all,

> > I've recently started logging incoming tcp/udp that'll be rejected.
> > However, not all of the log entries makes sense. I've tried portscanning
> > myself with nmap, and it clearly shows a great deal of entries on numerous
> > ports (nothing like the entry showed below).

> > But, for instance. An entry like this:


> > b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

> > b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

> > b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

> > b x.x.x.20,10101 -> y.y.y.17,27374 PR tcp len 20 40 -S IN

> > b x.x.x.20,10101 -> y.y.y.24,27374 PR tcp len 20 40 -S IN

> > b x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

> > What is the above?. I mean, my guess is some kind of network scan, since
> > y.y.y.17, y.y.y.24 and y.y.y.60 have connection attempts almost at the
> > same time on unpriviledged ports (note, 17, 24, 60 are the only ones which
> > are logged). Any clues?

> > Are there any resources available on the web, that explains how to read
> > and understand ipf logs?

> > Thanks,

> > Friendly Regards
> > /TK

 
 
 

Detecting portscans in ipflog.

Post by Kovacs Rob » Thu, 07 Dec 2000 04:00:00



> I'm sorry, I did not realize the different ports on y.y.y.
> It is something else then, of course.

> r

s/ports/IPs/

Jee :)

BTW it could be one of those "horizontal" port probes, i.e. not  the classic
"vertical" style, which probes all ports on a box,
but probe one port on many boxes instead, and when we are ready, enough time
passed by to start to scan for another port,
and they still won't notice (except you of course ;v).
You can usually see this, when you have many computers in a subnet, or many
aliases on an if.

hope this help,
r

 
 
 

Detecting portscans in ipflog.

Post by Peter Str?mbe » Thu, 07 Dec 2000 04:00:00



>...

> x.x.x.20,10101 -> y.y.y.60,27374 PR tcp len 20 40 -S IN

>What is the above?. I mean, my guess is some kind of network scan,
>since y.y.y.17, y.y.y.24 and y.y.y.60 have connection attempts
>almost at the same time on unpriviledged ports (note, 17, 24, 60
>are the only ones which are logged). Any clues?

Trojan scan.
27374 | TCP = BackDoor-G/SubSeven/Sub7

Quote:>Are there any resources available on the web, that explains how to
>read and understand ipf logs?

<http://www.robertgraham.com/pubs/firewall-seen.html>
<http://www.vhm.haitec.de/www/software/avipports.shtml#trojan>

--
Peter Str?mberg

 
 
 

1. Need program to detect outgoing portscans from my network

Hello all,

I need to be able to detect portscans from two servers on my subnet
(these servers are not administered by me, but I can sniff their
traffic)

I've tried snort with mixed results.

By default snort doesn't log scans from my net to external net (only
the other way around)

I tried changing the preprocessor portscan: to any and now I am able
to detect portscans from any machine on my subnet to the outside but
now even web browsing traffic is being picked up as portscans.

So any suggestions would be appreciated.

Thanks

2. pppd-2.2 w/ accend

3. detect portscanning !

4. Which SCSI Card for FreeBSD?

5. localhost portscan detects 2 randomly opened and closed ports - other hosts cannot see these open

6. lpr gibberish

7. Detect/Alert portscan HELP!!!!

8. su / passwd problem on 2.1

9. Portscan detected from 192.168.100.100

10. Can ISP detect when dial-ins are 'overloaded' ?

11. ipflog

12. ipflog not showing groups?