[nsp-sec] lists of IPs (and ASNs) for SSH scanning and brute force

Smith, Donald Donald.Smith at CenturyLink.com
Sun Oct 30 09:46:29 EDT 2011 

Thanks Russel. We have a very low tolerance for FPs so I check most new and adhoc reports. I would appreciate if others here did it too as many eyes/hands/brains makes a task easier.

One qwestion Russel, is the scanning signature your using based on destination port 22 or is it really just "scanning" any port?


(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at qwest.com
________________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Russell Fulton [r.fulton at auckland.ac.nz]
Sent: Saturday, October 29, 2011 8:34 PM
To: nsp-sec NSP
Subject: Re: [nsp-sec] lists of IPs (and ASNs) for SSH scanning and brute       force

----------- nsp-security Confidential --------

A bleated followup on this one.

It turns out that the scan data (as opposed to the brute force data) IP posted is unreliable.  Thanks to
Donald Smith <Donald.Smith at CenturyLink.com> for querying this.

Donald sent me a list of IPs that I had fingered that his data did not support as being scanners.  When I checked my flow data and looked at the snort alerts I saw that all the were 'scanning' the same IP on our network and that IP was the public face of our student wireless network (NATted).   When I looked at destination stats for the snort alerts this IP was an order of magnitude higher than anything else.

Flow data revealed that, we were seeing two TCP connection attempts very close together and this is enough to trigger the standard snort rule for ssh scans.  Flow data also showed packet to UDP 22 too.   I conclude that is is nothing to do with SSH and is most likely one of the P2P protocols.

The timeouts on the tcp connection attempts are very short and these connection keep repeating several times an hour making it look like a scan if you don't look too closely :(

I have adjusted the number of SYN packets needed to trip the signature up to 8 (from 5) in a 120 interval and will examine thing carefully before posting any more data.

Apologies for the confusion and inconvenience.

Russell



On 23/10/2011, at 12:26 PM, Russell Fulton wrote:

> ----------- nsp-security Confidential --------
>
>
> scan file alerts on SYN packets and the brute file on connected session…
>
> <sshscan><sshbrute>
>
>
> Times
>
> Russell Fulton
>
> Information Security Officer, The University of Auckland
> New Zealand
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list