OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: TCP port 5000 syn increasing

From: Steven Trewick (STrewickjoplings.co.uk)
Date: Wed May 19 2004 - 06:08:48 CDT

> That begs the question if it isn't becoming useless nowadays to count
> port scans.

IMHO it has *never* been sufficient to simply count and analyse probes
by port. It is simply not possible to identify network traffic in this
way. A probe on tcp 139 could be a worm, a misconfigured XP box, a
sKiddie running nmap, frankly it cold be anything.

> Perhaps we should focus instead on catching the worms and provide payload,

> or payload hashes.

Yes, an excellent idea, if I see unusual tcp probes at my borders, I
usually at least hook up a quick netcat listener to see if anything
appears, obviously UDP traffic can be logged straight off the wire.

This is really a minimum of info to collect (and its still an awful
lot). Counting probes will give you nothing but largely meaningless
numbers.

> Otherwise, how would you pick up the new strain of SQL slammer amongst
> all the existing SQL port scans?

You wouldn't. Because you simply wouldn't know what you were
looking at.

The ability to say "12.53 % of unsolicited traffic at my network
border is directed at tcp port 25" tells you absolutely nothing
until you know why that traffic is arriving, and what the
traffic contains.

Port 25 for instance could be spam, could be a sendmail exploit,
could be a misconfigured mail server somewhere, could be legit
mail, could be a worm using a sendmail exploit to spread (and
send spam, blended threat, see ?)

$LOCAL_CURRENCY 0.02 '-)

</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
joplings.co.uk

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------