looking for scanners and other "bad" activity
carter at qosient.com
carter at qosient.com
Thu Sep 9 15:16:19 EDT 2010
Hey Mark,
Take a look at the rahosts() perk script. It will report on the number of hosts, hosts attempt to access. It is the simplest of tools to report simle scanning behavior.
radark() is also a good script for dealing with scan detection, but it is trying to discover scanning at a very low level of activity, which are below the thresholds you mention. Maybe overkill.
Give these a try and send email if they were helpful at all, and if they sucked for what you want to do.
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Mike Tancsa <mike at sentex.ca>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Thu, 09 Sep 2010 10:14:22
To: <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] looking for scanners and other "bad" activity
Hi,
I am hoping to use my argus data for some real time threat
analysis looking for hosts scanning inside my network either
individual hosts or ports on a host. In general, the questions I
want to answer are like
What external IP addresses have hit > n hosts on port y in less than x hrs
eg. what external IP addresses have hit port 3389 on more than 20
different IP addresses in the past 1hr
I could do some scripting to interpret the text output, but was
hoping there would be some combo of racluster and other argus tools
to help me answer that question.
---Mike
More information about the argus
mailing list