looking for scanners and other "bad" activity
Dave Edelman
dedelman at iname.com
Thu Sep 9 21:42:07 EDT 2010
Mike,
Carter pointed out rahosts()
rahosts() gives you quite a bit of data that you may find distracting. I
usually take the output and pipe it through something like | tr -d '\(\)' |
awk '$2 > 20 {printf("%s %s\n", $1, $2)}'
This will give you the source address and the number of distinct destination
addresses for each.
--Dave
-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Mike Tancsa
Sent: Thursday, September 09, 2010 10:14 AM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] looking for scanners and other "bad" activity
Hi,
I am hoping to use my argus data for some real time threat
analysis looking for hosts scanning inside my network either
individual hosts or ports on a host. In general, the questions I
want to answer are like
What external IP addresses have hit > n hosts on port y in less than x hrs
eg. what external IP addresses have hit port 3389 on more than 20
different IP addresses in the past 1hr
I could do some scripting to interpret the text output, but was
hoping there would be some combo of racluster and other argus tools
to help me answer that question.
---Mike
More information about the argus
mailing list