Date: Thu, 30 Nov 2000 08:28:32 -0700 (MST)
From: Travis {RapidSupport} <traviso@RapidNet.com>
To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: Danger Ports
Message-ID: <Pine.BSF.4.21.0011300805330.83526-100000@rapidnet.com>
In-Reply-To: <Pine.BSF.4.21.0011292044170.36849-100000@flux.c-zone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Nov 2000, Dan Babb wrote: > I am referring to the Back Orifice, Trinoo server ports, etc. Where can I > get my hands on a list of those port #'s? or are there any utilities that > act as those servers and log all attempts in hopes of catching those users > who will no doubt try and take advantage of an open system? Probably the best thing for exactly what you are describing is called SNORT it's a light weight intrusion detection software called SNORT which you can get at: http://www.snort.org I can identify exactly what you are referring to in my logs. I also use an ipf firewall to block that which I ID with the IDS software. Here is a snippet of actual logs from snort on my machine: [begin log snippet] [**] Netbus/GabanBus [**] 09/20-21:11:08.683624 *.*.*.*:1891 -> *.*.*.*:12345 TCP TTL:64 TOS:0x0 ID:60113 DF S***** Seq: 0x750B7F5F Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 [**] Traceroute ICMP [**] 09/20-22:26:12.133438 204.178.16.36 -> *.*.*.* ICMP TTL:1 TOS:0x0 ID:47254 ID:3699 Seq:13803 ECHO [**] SYN FIN Scan [**] 10/01-22:18:16.531398 203.41.93.253:21 -> *.*.*.*:21 TCP TTL:28 TOS:0x0 ID:39426 SF**** Seq: 0x205F74F Ack: 0x55003324 Win: 0x404 [**] PCAnywhere [**] 10/02-17:45:14.656264 *.*.*.*:1030 -> *.*.*.*:22 UDP TTL:125 TOS:0x0 ID:16896 Len: 10 [**] Backdoor-31337-shell [**] 11/20-16:43:17.064386 *.*.*.*:2286 -> *.*.*.*:31337 TCP TTL:64 TOS:0x0 ID:57979 DF S***** Seq: 0xDDD33B02 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 --- [end log snippet] As you can see I have *'d out the destination IP's (my servers) and some of the attackers IP's. While it creates these quick fingerprints of the attack it also holds more information on a per IP basis. Personally - I don't always have time to dig through the logs so I use "snort snarf" which takes the logs and creates a very nice web interface for tracking attacks and trends. Snort Snarf can be downloaded from the Snort website... Oh, did I mention this is free? =) Travis /* -=[ Travis Ogden ]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RapidNet Admin Team "Courage is not defined by those who Phone#: 605.341.3283 fought and did not fall, but by those ICQ#: 30220771 who fought, fell, and rose again." Mail: traviso@RapidNet.com Fax#: 605.348.1031 Web: www.RapidNet.com/~traviso 800#: 800.763.2525 ATTENTION! "RapidNet has moved to 330 Knollwood Drive, Rapid City, SD 57701." -=-=-=-=-=-=-=-=-=-=-=-=-=-[ traviso@rapidnet.com ]=-=-=-=-= */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011300805330.83526-100000>