[unisog] Tool to find ssh attacks in argus logs
Peter Van Epp
vanepp at sfu.ca
Mon Nov 5 14:56:24 EST 2001
>
> Greetings All,
> Here is a quick perl hack to scan archived argus[1] logs
> for evidence of ssh attacks. The current attack that we have seen
> iterates an offset for the shell code and this script picks up the
> repeated attempts. The script is quite specific to this attack and
> looks for ssh session within a quite narrow size range.
>
> It has been tested by Peter Van Epp (thanks Peter!) on real data and
> picked up all know attacks that they had seen and outgoing attacks from
> machine on the network that had already been compromised. Peter also
> modified the script to work with argus 1.8.x (see comments).
<snip>
I also just ran the entire month of October through the script and
picked up a previously missed machine from Oct 27, so it appears to be working
fine even for the ones I didn't already know about :-)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list