It is very interesting to see that our method uncovered most of the SCAN alerts. Here is a list of snort alerts found3.3:
WEB-IIS view source via translate header WEB-MISC http directory traversal P2P GNUTella client request WEB-IIS header field buffer overflow attempt (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) DOUBLE DECODING ATTACK (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) IIS UNICODE CODEPOINT ENCODING BAD-TRAFFIC tcp port 0 traffic CHAT MSN message P2P Napster Client Data SCAN SOCKS Proxy attempt SCAN Squid Proxy attempt SCAN Proxy Port 8080 attempt SCAN nmap TCP SCAN synscan portscan
For some of these events, we expected monotony. We therefore discarded all the SCAN, CHAT and P2P events. The remaining list looks very impressive. There are a few sources (most of them even on the internal network) which are showing automated behavior.
A quick look at the coverage we achieved with our method: There are a total of 168558 SCAN alerts in the logs. Out of those, we uncovered 50466, which seems pretty good. One might object that this does not really help much. This is right, but we only want to show that our method has a certain amount of success. It would be very interesting to test our method with raw tcpdump logs to detect automated behavior!
Four of the top sources utilizing automated techniques are on the internal network.
Count IP Count IP
67 32.245.166.236 23 148.64.16.128
40 207.166.87.157 13 170.129.50.120
25 138.97.18.88 11 115.74.249.65
...
Graphs summarizing the activity are shown in Figure 3.1, which shows per target port what snort alerts were triggered, and Figure 3.2 showing the deltas and corresponding snort alerts. The packets for which we could not associate a snort alert (NULL-nodes) were eliminated in this graph. It is interesting to see that the delta times for the SCAN Proxy Ports are very high. These deltas do not just show up once or twice, but several hundred times. This very nicely shows that our method of finding automated behavior works!
|
|