Interactive report to show who's system is talking a select few protocols

From: Les Yaw <yawles@luther.edu>
Date: 03/31/05
Message-ID: <424C3100.7030501@luther.edu>

We have found TrafficServer's ability to see what systems are talking
over our network very valuable. However, there are times we want to see
who's been talking "right now" a particular protocol. The following
"Interactive" report gives us several variables which we find helpful.
On our network, which includes over 2,000 student computers in
residential dorms, we've found it very helpful to seek out systems that
are talking:

DHCP server (port 67)
Ping sweeps (port 135)
Sasser-like sweeps for vulnerability (port 445)
IRC chatting - for zombies to talk to their controllers (6666-6669, 7000)
A local favorite p2p file sharing software (port 5109)

Below is the code for that report we use. We hope it's helpful.

Cheers!

Les Yaw
Luther College
Decorah, IA

<inmon>
action=ask;
askCategory=Security;
askName=Interactive Top Port Talkers;
askDescription=Identify hosts probing by port.;
askTitle=Top Port Broadcasters;
askHelp=Help/reports/interactive.php#MACBroadcast;
date.prompt=Time Period;
date.default=lastHour;
date.options=dateOptions;
destinationPort.prompt=Port Number;
destinationPort.options=67,135,445,666,5190,6666,6667,6668,6669,7000;
</inmon>

<inmon>
action=index;
category=Security;
name=Port probers list;
description=Systems talking selected port report;
</inmon>

<html>

<head>
<title>Top Port Broadcasters</title>
</head>

<body bgcolor="#FFFFFF" text="#000000" link="#000080" vlink="#990000"
alink="#666666">
<font face="Arial, Arial, Helvetica">
 

<h1><font color="#333366">Port probing report for
<inmon>action=print;variable=serverPort</inmon></font></h1>
 

<p><b>[ <inmon>action=date;format=range</inmon> ]</b></p>
<p>Any host probing in large numbers using port may be sources of
traffic pollution on our network.</br>
  Port 67 = DHCP server</br>
 Port 135 = Probing with rapid ping-sweep like activity</br>
 Port 445 = Sasser-like vulnerability seeking activity</br>
 Port 666 = We've had servers hacked, then speak this port</br>
Port 5190 = Gnutella-like P2P file sharing</br>
Port 6666-7000 = Internet Relay Chat (IRC) ports, zombies easily talk to
their controller's over these ports.</p>

<br>
<hr>

<inmon>
action=report;
reportName=TopN;
reportFormat=table;
# includeDelta=yes; - interactive reports would always have "new"
Delta's -Les
includeData=yes;
tableType=TCP;
sourceAddress=_local::;
categoryColumn=sourceAddress,bytes;
valueColumn=count(destinationAddress);
resultTruncate=50;
</inmon>
<br>

</inmon>

</font>
</body>

</html>
Received on Thu Mar 31 09:28:07 2005

This archive was generated by hypermail 2.1.8 : 03/31/05 PST