[Emerging-Sigs] 'FP's on 2012612 -- ET SCAN Potential SSH Brute Force

Russell Fulton r.fulton at auckland.ac.nz
Sun Oct 30 02:15:27 EST 2011


Note the 's around the 'FP'.  This is a warning that folk using this to report ssh scanners need to be aware that this is triggered but things other than ssh scanning.  Below is some data from argus.  The destination is the publicly visible address of our student wireless network (NATted).  I am seeing thousands of of IPs with similar traffic patterns to this IP.


   18:48:55.525644  e s       tcp       112.198.83.5.46417     ->     130.216.30.112.22           10        632    S_
   18:49:08.886028  e s       tcp       112.198.83.5.38676     ->     130.216.30.112.22           10        632    S_
   18:50:00.746665  e s       tcp       112.198.83.5.46417     ->     130.216.30.112.22            1         62    S_
   18:50:14.096540  e s       tcp       112.198.83.5.38676     ->     130.216.30.112.22            1         62    S_
   18:51:44.584526  e s       tcp       112.198.83.5.47689     ->     130.216.30.112.22           10        632    S_
   18:51:46.474019  e         udp       112.198.83.5.50520     ->     130.216.30.112.22            1         62   INT
   18:51:58.126140  e s       tcp       112.198.83.5.48322     ->     130.216.30.112.22           10        632    S_
   18:52:49.795690  e s       tcp       112.198.83.5.47689     ->     130.216.30.112.22            1         62    S_
   18:53:03.345606  e s       tcp       112.198.83.5.48322     ->     130.216.30.112.22            1         62    S_
   18:54:23.323619  e s       tcp       112.198.83.5.52759     ->     130.216.30.112.22           10        632    S_
   18:54:25.263472  e         udp       112.198.83.5.58712     ->     130.216.30.112.22            1         62   INT
   18:54:36.903359  e s       tcp       112.198.83.5.49381     ->     130.216.30.112.22           10        632    S_
   18:55:09.835203  e s       tcp       112.198.83.5.50197     ->     130.216.30.112.22           10        632    S_
   18:55:22.664625  e s       tcp       112.198.83.5.46769     ->     130.216.30.112.22           10        632    S_
   18:55:28.544296  e s       tcp       112.198.83.5.52759     ->     130.216.30.112.22            1         62    S_
   18:55:42.144505  e s       tcp       112.198.83.5.49381     ->     130.216.30.112.22            1         62    S_
   18:56:15.044438  e s       tcp       112.198.83.5.50197     ->     130.216.30.112.22            1         62    S_
   18:56:27.892832  e s       tcp       112.198.83.5.46769     ->     130.216.30.112.22            1         62    S_
   18:58:07.224168  e s       tcp       112.198.83.5.55755     ->     130.216.30.112.22           10        632    S_
   18:58:09.193346  e         udp       112.198.83.5.54616     ->     130.216.30.112.22            1         62   INT
   18:58:20.915591  e s       tcp       112.198.83.5.59984     ->     130.216.30.112.22           10        632    S_

Note UDP packets to 22 as well!

my guess is that this is some ill behaved p2p client.  Note the 10 SYN packets on each connection attempt -- these easily trigger this sig.  I have raised the threshold substantially but I am still seeing a lot of hosts triggering 2012612.

I am now looking at adding destination filters for this rule.


Russell Fulton

Information Security Officer, The University of Auckland
New Zealand





More information about the Emerging-sigs mailing list