[unisog] Tool to find ssh attacks in argus logs
From: Russell Fulton (r.fulton@auckland.ac.nz)Date: 11/04/01
- Previous message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 5 Nov 2001 11:31:05 +1300 (NZDT) Subject: [unisog] Tool to find ssh attacks in argus logs From: Russell Fulton <r.fulton@auckland.ac.nz> To: unisog@sans.org, argus-info@lists.andrew.cmu.edu
Greetings All,
Here is a quick perl hack to scan archived argus[1] logs
for evidence of ssh attacks. The current attack that we have seen
iterates an offset for the shell code and this script picks up the
repeated attempts. The script is quite specific to this attack and
looks for ssh session within a quite narrow size range.
It has been tested by Peter Van Epp (thanks Peter!) on real data and
picked up all know attacks that they had seen and outgoing attacks from
machine on the network that had already been compromised. Peter also
modified the script to work with argus 1.8.x (see comments).
This is a first cut at this problem. If I get time I will modify this
(using stuff from my watcher scan detector script) to give real time
notification on attacks.
[1]: Argus IP audit tool http://www.qosient.com
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
#!/usr/bin/perl
my %ipn;
$ENV{TZ} = 'UTC';
# Assumes version 2.0 ra -- remove A switch if running with 1.8.x data
if (! open(RA, "bin/ra -Ancr ".join(' ', @ARGV) .
" - tcp and dst port 22 |") ) {
die "failed to open connection to server";
}
while(<RA>) {
chomp;
my ( $timestmp, $proto, $src, $srcp, $sym, $dst,
$dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
unpack "A19x3A4a15xA6A3x2A16xA5xA8xA9xA12xA12a10", $_;
# From Peter Van Epp:
# If you are luditte like me and still running 1.8.1 comment out the 3 lines
# above and uncomment the 5 lines below
# my ( $timestmp, $flag, $proto, $src, $srcp, $sym, $dst,
# $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
# unpack "A18xA3xA4xA15xA6A3xA15xA5xA6xA6x2A9xA9A3", $_;
# $src =~ s/ //g;
# $dst =~ s/ //g;
next unless ( $tobytes > 90000 and $tobytes < 110000 and
$fbytes > 300 and $fbytes < 400);
if( ! exists $ipn{$src} ) {
$ipn {$src} = {};
$ipn {$src}->{COUNT} = 1;
$ipn {$src}->{TOTAL} = 0;
$ipn{$src}->{TIME} = $timestmp;
#print "$ipn{$src}->{TIME}\n";
$ipn {$src}->{$dst} = 1;
};
if( ! exists $ipn{$src}->{$dst} ) {
$ipn {$src}->{COUNT}++;
$ipn {$src}->{$dst} = 1;
} else {
$ipn {$src}->{$dst}++;
}
$ipn {$src}->{TOTAL}++;
$ipn{$src}->{LTIME} = $timestmp;
}
print scalar keys %ipn, "\n";
foreach my $ip (sort {$ipn{$b}->{TOTAL} <=> $ipn{$a}->{TOTAL}} keys
%ipn ) {
# my $dn = gethostbyaddr(pack("C4",split(/\./,$ipn)),2) || '';
# last if $ipn{$ip}->{TOTAL} == 1;
print "$ip $ipn{$ip}->{TIME} -- $ipn{$ip}->{LTIME} # number of
targets $ipn{$ip}->{COUNT} total sessions $ipn{$ip}->{TOTAL}\n" ;
}
-- Dave Dittrich Computing & Communications dittrich@cac.washington.edu University Computing Services http://staff.washington.edu/dittrich University of WashingtonPGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
