Use Cases related to the opportunist attacker class. This class includes but is not limited to Bots, Worms, Mass Malware, Script Kiddies. They are opportunistic in the way that they move on if they don’t find a particular known vulnerability. The sophistication is relatively low and to compensate for it they use large scale.
Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.
24 hours source port 12200/TCP events1 week source port 12200 events1 month source port 12200/TCP events1 year source port 12200/TCP eventsSource port 12200 source countries repartitionSource port 12200 destination ports repartition
We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.
Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040 “WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446 “ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.
1 Month TOP 10 source IPs for SID 20110401 Month TOP 10 source IPs for SID 2006446TOP 20 source countries for SID 2011040TOP 20 source countries for SID 2006446
When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.
For examples :
115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 60865 (26 events)
source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 21703 (26 events)
source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
source port : 24431 (26 events)
source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.
The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.
24 hours 500 destination port events1 week destination port 500 event1 month destination port 500 events1 year destination port 500 eventssource ports repartition for destination port 500source countries repartition for destination port 500
Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.
Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288 “WEB_SERVER Attack Tool Revolt Scanner“.
You can find here, the typical list of directories how are scanned by revolt.
Here under you can find the latest statistics for Revolt Agent activities.
1 Month SIG 2009288 events activitiesOne year SIG 2009288 events activities1 Month TOP 10 source IPs for SIG 2009288TOP 20 source countries for SIG 2009288
