Article Figure 1 Figure 2 Figure 3 Figure 4 apr2004.tar

Figure 3 psad alerts

FIN scan:

=-=-=-=-=-=-=-=-=-=-=-= Sun Nov 30 23:55:50 2003 =-=-=-=-=-=-=-=-=-=-=-=
 ** psad: Suspicious traffic detected against 192.168.10.1


         Danger level: [2] (out of 5)

    Scanned tcp ports: [6100-6150: 164 packets]
            tcp flags: [FIN: 164 pkts, Nmap: -sF]

               Source: 192.168.10.2
                  DNS: [No reverse dns info available]

          Destination: 192.168.10.1
                  DNS: [No reverse dns info available]

          Syslog host: orthanc

     Current interval: Sun Nov 30 23:55:45 2003 (start)
                       Sun Nov 30 23:55:50 2003 (end)

  Overall stats since: Sun Nov 30 23:55:44 2003
   Complete tcp range: [80-6150]

   chain:   interface:   tcp:   udp:   icmp:
    input    eth1         204    0      0


 ** tcp scan signatures: **

"SCAN FIN" sid=621 chain=input packets=4 dp=6122 flags=[FIN] \

  No local server on tcp/6122
"SCAN FIN" sid=621 chain=input packets=4 dp=6140 flags=[FIN] \

  No local server on tcp/6140
"SCAN FIN" sid=621 chain=input packets=4 dp=6111 flags=[FIN] \

  No local server on tcp/6111
"SCAN FIN" sid=621 chain=input packets=4 dp=6104 flags=[FIN] \

  No local server on tcp/6104
"SCAN FIN" sid=621 chain=input packets=4 dp=6101 flags=[FIN] \

  No local server on tcp/6101
"SCAN FIN" sid=621 chain=input packets=4 dp=6145 flags=[FIN] \

  No local server on tcp/6145
"SCAN FIN" sid=621 chain=input packets=4 dp=6110 flags=[FIN] \

  No local server on tcp/6110

=-=-=-=-=-=-=-=-=-=-=-= Sun Nov 30 23:55:50 2003 =-=-=-=-=-=-=-=-=-=-=-=


Sample "/usr/bin/id" command attempt (sid: 1332) against a webserver:

=-=-=-=-=-=-=-=-=-=-=-= Wed Dec  3 14:58:36 2003 =-=-=-=-=-=-=-=-=-=-=-=
 ** psad: Suspicious traffic detected against 127.0.0.1


         Danger level: [2] (out of 5)

    Scanned tcp ports: [80: 1 packets]
            tcp flags: [ACK PSH: 1 pkts]

               Source: 192.168.10.2
                  DNS: [No reverse dns info available]

          Destination: 192.168.10.1
                  DNS: [No reverse dns info available]

          Syslog host: orthanc

     Current interval: Wed Dec  3 14:58:31 2003 (start)
                       Wed Dec  3 14:58:36 2003 (end)

  Overall stats since: Mon Dec  1 00:06:49 2003
   Complete tcp range: [80-15104]

   chain:   interface:   tcp:   udp:   icmp:
    input    lo           2      0      0


 ** tcp scan signatures: **

   "WEB-ATTACKS /usr/bin/id command attempt"
       classtype: web-application-attack
       sid:       1332
       content:   "/usr/bin/id"
       chain:     input
       packets:   1

=-=-=-=-=-=-=-=-=-=-=-= Wed Dec  3 14:58:36 2003 =-=-=-=-=-=-=-=-=-=-=-=


Sample dns exploit (sid: 265) against a dns server:

=-=-=-=-=-=-=-=-=-=-=-= Fri Dec  5 11:47:47 2003 =-=-=-=-=-=-=-=-=-=-=-=
 ** psad: Suspicious traffic detected against 127.0.0.1


         Danger level: [2] (out of 5)

    Scanned tcp ports: [53: 1 packets]
            tcp flags: [ACK PSH: 1 pkts]

               Source: 192.168.10.2
                  DNS: [No reverse dns info available]

          Destination: 192.168.10.1
                  DNS: [No reverse dns info available]

          Syslog host: orthanc

     Current interval: Fri Dec  5 11:47:47 2003 (start)
                       Fri Dec  5 11:47:47 2003 (end)

  Overall stats since: Fri Dec  5 11:47:47 2003
   Complete tcp range: [53]

   chain:   interface:   tcp:   udp:   icmp:
    input    lo           1      0      0


 ** tcp scan signatures: **

   "DNS EXPLOIT x86 linux overflow attempt (ADMv2)"
       classtype: attempted-admin
       sid:       265
       content:   "|89f7 29c7 89f3 89f9 89f2 ac3c fe|"
       chain:     input
       packets:   1

=-=-=-=-=-=-=-=-=-=-=-= Fri Dec  5 11:47:47 2003 =-=-=-=-=-=-=-=-=-=-=-=