logo       
<prev   next>

Re:LOGS:GCIA GCIA Version 3.5 Practical Detect Coen Bakkers: msg#00084

security.intrusions

Subject: Re:LOGS:GCIA GCIA Version 3.5 Practical Detect Coen Bakkers

Hi Coen,

Good work... I have some questions for your consideration:

Your log shows some interesting patterns on:
- the time between packets
- the ISN #
- the source port #

1. Will a common SYN scan looks like this?
2. What does this tell you about the condition of the destination server? What are the other possibility why you are seeing this traffic pattern?

Good luck,

Kam

Your logs:

06:05:47.614488 193.231.96.42.2722 > 78.37.180.227.1080: S 1259629854:1259629854(0) win 5840 <mss 1460,sackOK,timestamp 77366309 0,nop,wscale 0> (DF) (ttl 40, id 59707, len 60)
06:05:50.614488 193.231.96.42.2722 > 78.37.180.227.1080: S 1259629854:1259629854(0) win 5840 <mss 1460,sackOK,timestamp 77366609 0,nop,wscale 0> (DF) (ttl 40, id 59708, len 60)
06:05:56.614488 193.231.96.42.2722 > 78.37.180.227.1080: S 1259629854:1259629854(0) win 5840 <mss 1460,sackOK,timestamp 77367209 0,nop,wscale 0> (DF) (ttl 40, id 59709, len 60)
06:05:57.734488 193.231.96.42.2746 > 78.37.180.227.1080: S 1263049257:1263049257(0) win 5840 <mss 1460,sackOK,timestamp 77367320 0,nop,wscale 0> (DF) (ttl 40, id 4657, len 60)
06:06:00.724488 193.231.96.42.2746 > 78.37.180.227.1080: S 1263049257:1263049257(0) win 5840 <mss 1460,sackOK,timestamp 77367620 0,nop,wscale 0> (DF) (ttl 40, id 4658, len 60, bad)
06:06:06.724488 193.231.96.42.2746 > 78.37.180.227.1080: S 1263049257:1263049257(0) win 5840 <mss 1460,sackOK,timestamp 77368220 0,nop,wscale 0> (DF) (ttl 40, id 4659, len 60)
06:06:07.824488 193.231.96.42.2771 > 78.37.180.227.3128: S 1273701997:1273701997(0) win 5840 <mss 1460,sackOK,timestamp 77368331 0,nop,wscale 0> (DF) (ttl 40, id 43622, len 60)
06:06:10.824488 193.231.96.42.2771 > 78.37.180.227.3128: S 1273701997:1273701997(0) win 5840 <mss 1460,sackOK,timestamp 77368631 0,nop,wscale 0> (DF) (ttl 40, id 43623, len 60)
06:06:16.824488 193.231.96.42.2771 > 78.37.180.227.3128: S 1273701997:1273701997(0) win 5840 <mss 1460,sackOK,timestamp 77369231 0,nop,wscale 0> (DF) (ttl 40, id 43624, len 60)
06:06:17.944488 193.231.96.42.2795 > 78.37.180.227.8080: S 1283991188:1283991188(0) win 5840 <mss 1460,sackOK,timestamp 77369342 0,nop,wscale 0> (DF) (ttl 40, id 43370, len 60)
06:06:20.944488 193.231.96.42.2795 > 78.37.180.227.8080: S 1283991188:1283991188(0) win 5840 <mss 1460,sackOK,timestamp 77369642 0,nop,wscale 0> (DF) (ttl 40, id 43371, len 60)
06:06:26.934488 193.231.96.42.2795 > 78.37.180.227.8080: S 1283991188:1283991188(0) win 5840 <mss 1460,sackOK,timestamp 77370242 0,nop,wscale 0> (DF) (ttl 40, id 43372, len 60)
12:59:49.254488 193.231.96.42.1819 > 78.37.180.227.1080: S 1729688885:1729688885(0) win 5840 <mss 1460,sackOK,timestamp 79850643 0,nop,wscale 0> (DF) (ttl 41, id 39334, len 60)
12:59:52.244488 193.231.96.42.1819 > 78.37.180.227.1080: S 1729688885:1729688885(0) win 5840 <mss 1460,sackOK,timestamp 79850943 0,nop,wscale 0> (DF) (ttl 41, id 39335, len 60)
12:59:58.244488 193.231.96.42.1819 > 78.37.180.227.1080: S 1729688885:1729688885(0) win 5840 <mss 1460,sackOK,timestamp 79851543 0,nop,wscale 0> (DF) (ttl 41, id 39336, len 60)
12:59:59.674488 193.231.96.42.1843 > 78.37.180.227.1080: S 1740193953:1740193953(0) win 5840 <mss 1460,sackOK,timestamp 79851686 0,nop,wscale 0> (DF) (ttl 41, id 12295, len 60)
13:00:02.664488 193.231.96.42.1843 > 78.37.180.227.1080: S 1740193953:1740193953(0) win 5840 <mss 1460,sackOK,timestamp 79851986 0,nop,wscale 0> (DF) (ttl 41, id 12296, len 60)
13:00:08.714488 193.231.96.42.1843 > 78.37.180.227.1080: S 1740193953:1740193953(0) win 5840 <mss 1460,sackOK,timestamp 79852586 0,nop,wscale 0> (DF) (ttl 41, id 12297, len 60)
13:00:09.164488 193.231.96.42.1867 > 78.37.180.227.3128: S 1743423800:1743423800(0) win 5840 <mss 1460,sackOK,timestamp 79852635 0,nop,wscale 0> (DF) (ttl 41, id 64867, len 60)
13:00:12.154488 193.231.96.42.1867 > 78.37.180.227.3128: S 1743423800:1743423800(0) win 5840 <mss 1460,sackOK,timestamp 79852935 0,nop,wscale 0> (DF) (ttl 41, id 64868, len 60)
13:00:18.154488 193.231.96.42.1867 > 78.37.180.227.3128: S 1743423800:1743423800(0) win 5840 <mss 1460,sackOK,timestamp 79853535 0,nop,wscale 0> (DF) (ttl 41, id 64869, len 60)
13:00:19.574488 193.231.96.42.1891 > 78.37.180.227.8080: S 1749964279:1749964279(0) win 5840 <mss 1460,sackOK,timestamp 79853676 0,nop,wscale 0> (DF) (ttl 41, id 11675, len 60)
13:00:22.564488 193.231.96.42.1891 > 78.37.180.227.8080: S 1749964279:1749964279(0) win 5840 <mss 1460,sackOK,timestamp 79853976 0,nop,wscale 0> (DF) (ttl 41, id 11676, len 60)
13:00:28.574488 193.231.96.42.1891 > 78.37.180.227.8080: S 1749964279:1749964279(0) win 5840 <mss 1460,sackOK,timestamp 79854576 0,nop,wscale 0> (DF) (ttl 41, id 11677, len 60) Probability that source ip address was spoofed
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: LOGS: GIAC GCIA Version 3.5 Practical Detect CoenBakkers: 00084, Scott Renna
Next by Date:  [LOGS] Summary of large-scale portscanning detects: 00084, Ken . Connelly
Previous by Thread:  LOGS: GIAC GCIA Version 3.5 Practical Detect Coen Bakkersi: 00084, coen . bakkers
Next by Thread:  "LOGS: GIAC GCIA Version 3.4 Practical Detect Tuong Dam".: 00084, Tuong Dam
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise