new scan detecter. radark.pl

Carter Bullard carter at qosient.com
Thu Oct 11 13:55:25 EDT 2007 

Gentle people,
I'd like to include a perl script in the release that is a good example
of multi-pass data analysis that does something that most people
like to do.  The program is radark (need a better name), and is  
basically
a long range scan detector.

radark basically takes any amount of argus data, and using a description
of what is local (-L CIDR) , attempts to realize the list of lit  
network entities
(local functioning IP addresses) and then tracks any address that  
attempts
to touch a dark network entitiy (non-existing IP addresses).   Once  
we get
the list of scanners,  we re-parse the original data, looking for any
machine that talked to the scanner, which tells us who was discovered,
(hosts that respond without any content), and who answered (hosts that
responded with data).

This is a simple script, and will break if you have too much data, so
please give it a try, and any opinions would be very welcome.

Any questions, please send email!!!

Carter


radark -L 1.2.0.0/16 -r /tmp/argus.out -N 10

Searcher Report 2003/12/18.09:00:55.664184 - 2003/12/18.09:43:14.675028
       211.222.8.44 scanned  1857 hosts in       210.420624 secs  
discovered  0 hosts with 0 responders
      218.104.78.69 scanned   358 hosts in      2516.728760 secs  
discovered  0 hosts with 0 responders
      202.112.53.85 scanned   249 hosts in      2517.197266 secs  
discovered  0 hosts with 0 responders
     202.99.219.206 scanned   228 hosts in       302.197723 secs  
discovered  0 hosts with 0 responders
      202.112.53.86 scanned   214 hosts in      2525.386719 secs  
discovered  0 hosts with 0 responders
        210.51.1.47 scanned   152 hosts in      2511.132324 secs  
discovered  0 hosts with 0 responders
      218.22.14.104 scanned   115 hosts in      2532.348389 secs  
discovered  0 hosts with 0 responders
      61.151.248.33 scanned    93 hosts in      2516.505127 secs  
discovered  0 hosts with 0 responders
       69.31.72.200 scanned    17 hosts in      2411.359619 secs  
discovered  0 hosts with 0 responders
      68.153.205.32 scanned    15 hosts in      2401.496826 secs  
discovered  0 hosts with 0 responders
         81.17.58.2 scanned    15 hosts in      2369.491455 secs  
discovered  0 hosts with 0 responders
       61.56.240.10 scanned    13 hosts in      2216.921143 secs  
discovered  0 hosts with 0 responders




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071011/bed7ce4b/attachment.html>

More information about the argus mailing list