[cumbria_lug] Windows Network Noise on the Net.
Steve
Steve at fadges.demon.co.uk
Sun Dec 19 21:39:05 GMT 2004
Interesting observation....
I recently had cause to heavily monitor the traffic which was hitting my
router (and bouncing off) after being monumentally stupid (might relate
the tale at the next meet), and was quite surprised at what I saw after
analysing the logs I've collected so far.
Although I didn't capture a full portscan or attempted attack (although
I know I was hit twice), it was quite interesting to see some patterns
emerge from the noise.
Of the 850 or so direct hits at my external IP address in the last 3 1/2
days, 84% seems to be related to MS Windows Netbios and Message Service
(Spam) (ports 135,137,139,445,1026,1027). The other 16% was mostly
viruses and general port scans for machines compromised by various
hacking tools.
Most of the the addresses for hacks and viruses seem to originate from
China, with Russia a close second and noise from the US and Sweden!
Most of the NetBios stuff seems to be from local machines in the same
'local' net as myself, although one machine was responsible for 50 hits
(of 295 on port 135) - I was actually quite shocked after a fit of
madness I put the address in Windows Exploder (as if attaching to a file
share) and up pops a login dialog for what would appear to be a
completely unprotected machine on broadband - the mind boggles.
I'd be very curious if anyone else has seen any similar patterns, or had
done/found anything similar.
Anyway, on to the big question... has anyone come across any tools for
analysing Syslog logs to get information and stats out of them. Most of
the entries I'm interested are of the form:
Dec 19 04:48:01 z.z.z.z router1: src="x.x.x.x:port" dst="y.y.y.y:port"
msg="Firewall default policy: UDP (L to W)" note="ACCESS BLOCK"
I've got syslog setup to collect all the information from the router in
a separate file, so extracting from the main system logs isn't a problem.
I'm wanting to extract all the port information, as well as source
addresses for automated lookup, so I can see build up a picture of
what's happening outside. Stats on ports, etc, as well as where all
this stuff is coming from.
I'm open to thoughts and suggestions.
Steve
PS. Dodad's and whatever's for the current season... etc. :-)
More information about the Cumbria
mailing list