Category Archives: Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC009 : Activities on source port 500 destination port 500/UDP

Opportunists, Professional, Targeting Opportunists, Use Cases,
  • Use Case Reference : SUC009
  • Use Case Title : Activities on source port 500 destination port 500/UDP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Possible ike-scan
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : 500/UDP
  • Destination Port(s) : 500/UDP

Possible(s) correlation(s) :

  • This UDP destination port is related to IKE isakmp. Often detected as an DoS attempt on Win2000.
  • ike-scan

Sources :

24 hours 500 destination port events
24 hours 500 destination port events
1 week destination port 500 event
1 week destination port 500 event
1 month destination port 500 events
1 month destination port 500 events
1 year destination port 500 events
1 year destination port 500 events
source ports repartition for destination port 500
source ports repartition for destination port 500
source countries repartition for destination port 500
source countries repartition for destination port 500

SUC007 : Activities on 49153/UDP linkproof.proximity.advanced

Use Cases,
  • Use Case Reference : SUC007
  • Use Case Title : Activities on 49153/UDP destination ports
  • Use Case Detection : Firewall / IDS
  • Targeted attack : N/A
  • Identified tool(s) : Radware Linkproof products
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 49153 UDP

You have surely also detected an activity in destination of the 49153/UDP port, with a payload containing “linkproof.proximity.advanced“.

Possible(s) correlation(s) :

  • This destination port with this particular payload is related to Radware Linkproof products.

Sources :

24 hours 49153 destination port events
24 hours 49153 destination port events
1 week destination port 49153 event
1 week destination port 49153 event
1 month destination port 49153 events
1 month destination port 49153 events
1 year destination port 49153 events
1 year destination port 49153 events
source ports repartition for destination port 49153
source ports repartition for destination port 49153
source countries repartition for destination port 49153
source countries repartition for destination port 49153

SUC004 : phpMyAdmin User-Agent Revolt Scanner

Opportunists, Use Cases, , , , ,
  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288

SUC003 : Events from static source port 6000/TCP

Opportunists, Use Cases
  • Use Case Reference : SUC003
  • Use Case Title : Events from static source port 6000/TCP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Most of China
  • Source Port(s) : 6000/TCP
  • Destination Port(s) : 135/TCP, 1080/TCP, 1433/TCP, 1521/TCP, 2967/TCP, 3127/TCP, 3128/TCP, 8000/TCP, 8080/TCP, 9090/TCP

Possible(s) correlation(s) :

  • Worm Dasher

Sources :

Same as many other Honey Net, we detected activities with static source port 6000 in destination of above destination ports.

This 6000/TCP port, is well know for targeting Microsoft-SQL-Server 1433/TCP, but has involve to target Oracle 1521/TCP.

Since a few days, source port 6000/TCP is targeting new destination ports : 8000/TCP, 8080/TCP and 9090/TCP.

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 6000 events
24 hours source port 6000 events
1 week source port 6000 events
1 week source port 6000 events
1 month source port 6000 events
1 month source port 6000 events
1 year source port 6000 events
1 year source port 6000 events
Source port 6000 source countries repartition
Source port 6000 source countries repartition
Source port 6000 destination ports repartition
Source port 6000 destination ports repartition