File: SCAN_LOG

package info (click to toggle)
psad 2.4.3-1.2~deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 3,884 kB
  • sloc: perl: 13,751; ansic: 1,322; sh: 342; makefile: 74
file content (59 lines) | stat: -rw-r--r-- 1,827 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

This file contains a sample psad alert, and many more examples can be found
here:

http://www.cipherdyne.org/psad/docs/


Here is an example of psad alert (version 2.0.2) for a scan for the
Microsoft VNC service against my Linux box (running kernel 2.6.18):

=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [2] (out of 5)

    Scanned tcp ports: [5900: 1 packets]
            tcp flags: [SYN: 1 packets, Nmap: -sT or -sS]
       iptables chain: INPUT (prefix "DROP"), 1 packets

               Source: 71.127.83.44
                  DNS: static-71-127-83-44.aubnin.fios.verizon.net

          Destination: 71.127.x.x

      Syslog hostname: minastirith

     Current interval: Fri Dec 22 12:10:33 2006 (start)
                       Fri Dec 22 12:10:38 2006 (end)

   Overall scan start: Thu Dec 21 20:37:49 2006
   Total email alerts: 36
   Complete tcp range: [1433-5900]

   chain:   interface:   tcp:   udp:   icmp:
   INPUT    eth0         44     0      0


[+] tcp scan signatures:

   "MISC VNC communication attempt"
       dst port:  5900 (no server bound to local port)
       flags:     SYN
       psad_id:   100202
       chain:     INPUT
       packets:   1
       classtype: attempted-admin
       reference: (url) http://isc.sans.org/port_details.php?port=5900
       reference: (url) http://secunia.com/advisories/20107

[+] Whois Information:
Verizon Internet Services Inc. VIS-71-96 (NET-71-96-0-0-1)
                                  71.96.0.0 - 71.127.255.255
PORTAL MAGIC FTTP (NET-71-127-83-40-1)
                                  71.127.83.40 - 71.127.83.47

# ARIN WHOIS database, last updated 2006-12-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

=-=-=-=-=-=-=-=-=-=-=-= Fri Dec 22 12:10:38 2006 =-=-=-=-=-=-=-=-=-=-=-=