looking for scanners and other "bad" activity
Mike Tancsa
mike at sentex.ca
Fri Sep 10 09:02:41 EDT 2010
At 03:16 PM 9/9/2010, carter at qosient.com wrote:
>Hey Mark,
>Take a look at the rahosts() perk script. It will report on the
>number of hosts, hosts attempt to access. It is the simplest of
>tools to report simle scanning behavior.
>
>radark() is also a good script for dealing with scan detection, but
>it is trying to discover scanning at a very low level of activity,
>which are below the thresholds you mention. Maybe overkill.
Thanks Carter, these look like great tools ! I noticed there is no
man page for them ?
---Mike
>Give these a try and send email if they were helpful at all, and if
>they sucked for what you want to do.
>
>Carter
>Sent from my Verizon Wireless BlackBerry
>
>-----Original Message-----
>From: Mike Tancsa <mike at sentex.ca>
>Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
>Date: Thu, 09 Sep 2010 10:14:22
>To: <argus-info at lists.andrew.cmu.edu>
>Subject: [ARGUS] looking for scanners and other "bad" activity
>
>Hi,
> I am hoping to use my argus data for some real time threat
>analysis looking for hosts scanning inside my network either
>individual hosts or ports on a host. In general, the questions I
>want to answer are like
>
> What external IP addresses have hit > n hosts on port y in less than x hrs
>
>eg. what external IP addresses have hit port 3389 on more than 20
>different IP addresses in the past 1hr
>
>I could do some scripting to interpret the text output, but was
>hoping there would be some combo of racluster and other argus tools
>to help me answer that question.
>
> ---Mike
More information about the argus
mailing list