Category Archives: Targeting Opportunists

Use Cases related to the targeting opportunists attacker class. This class represents a more targeted focused group of Opportunists, they don’t scan and probe the internet and stop as soon as they stumble across something interesting. They target one organisation in an opportunistic way. Meaning they will mass scan a particular organisation continuously looking for weak spots.

SUC018 : Nikto Web App Scan in Progress

  • SUC018 : Nikto Web App Scan in Progress
  • Use Case Reference : SUC018
  • Use Case Title : Nikto2 Web App Scan in Progress
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Nikto2 web scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Nikto2

Source(s) :

Emerging Threats SIG 2002677 create an alert if the user agent contain the string “Nikto/xxxx” is detected (where xxx is representing the version of Nikto2) in destination of HTTP, or HTTPS. An alert will be sent after seeing 5 occurrences of events per 60 second, then will ignore any additional events during the 60 seconds.

Nikto2 is used, normally, to evaluate to security of Web servers. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.

Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 Week events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 month events activities
Nikto2 web scanner SIG 2002677 1 year events activities
Nikto2 web scanner SIG 2002677 1 year events activities

SUC015 : Potential SSH Scan

  • Use Case Reference : SUC015
  • Use Case Title : Potential SSH Scan
  • Use Case Detection : Firewall logs / IDS / SSH logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Most of time libssh based
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 22/TCP
Possible(s) correlation(s) :
  • SSH fingerprinting
  • SSH brute forcing

Source(s) :

We have compile a list of more of 5 000 user name how have been used to try to brute force login our HoneyNet servers. This list is updated every day.

Emerging Threats SIG 2001219 create an alert if we have 5 destination port 22/TCP connexions during the interval of 120 seconds. If we see, for example, 10 connexions during the interval of 120 seconds, 2 alerts will be triggered. This SIG could be used to detect SSH Brute Force Attack.

Emerging Threats SIG 2006546 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 5 connexions during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH Brute Force Attack, but based on strict recognition of tools how are using “libssh”.

Emerging Threats SIG 2006345 create an alert if the content of the packet in destination of port 22/TCP contain “SSH-” and “libssh”. In addition the alert is triggered if we detect 1 connexion during the interval of 30 seconds. If we see, for example, 10 connexions during the interval of 30 seconds, only 1 alert will be triggered. This SIG could be used to detect SSH fingerprinting, but based on strict recognition of tools how are using “libssh”. This SIG is not useful for SSH Brute Force Attack recognition due to the limit type threshold.

In parallel you could correlate theses alerts with your firewall logs and / or SSH daemon logs, to create a real correlated alert. But still the attacker is not logged in your system, these alerts should not have a high priority level, cause most of time these scans are done by bots. Maybe you could add the attacker IP address in a “Suspicious Attacker” list for furthers trends and correlations activities.

Another operation you could do, is to compare the username provided from the SSH brute forcing dictionary with yours existing SSH usernames. If your username is present into the dictionary, we recommend you to change it.

24 hours SIG 2001219 events activities
24 hours SIG 2001219 events activities
1 week SIG 2001219 events activities
1 week SIG 2001219 events activities
1 Month SIG 2001219 events activities
1 Month SIG 2001219 events activities
One year SIG 2001219 events activities
One year SIG 2001219 events activities
1 Month TOP 10 source IPs for SIG 2001219
1 Month TOP 10 source IPs for SIG 2001219
TOP 20 source countries for SIG 2001219
TOP 20 source countries for SIG 2001219

SUC009 : Activities on source port 500 destination port 500/UDP

  • Use Case Reference : SUC009
  • Use Case Title : Activities on source port 500 destination port 500/UDP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : Possible ike-scan
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : 500/UDP
  • Destination Port(s) : 500/UDP

Possible(s) correlation(s) :

  • This UDP destination port is related to IKE isakmp. Often detected as an DoS attempt on Win2000.
  • ike-scan

Sources :

24 hours 500 destination port events
24 hours 500 destination port events
1 week destination port 500 event
1 week destination port 500 event
1 month destination port 500 events
1 month destination port 500 events
1 year destination port 500 events
1 year destination port 500 events
source ports repartition for destination port 500
source ports repartition for destination port 500
source countries repartition for destination port 500
source countries repartition for destination port 500