Thinking detecting
different scanning and scanning technology, there are different methods of detection. But the general idea is to detect the same, namely the use of iptables configuration policies to logging (refer to the specific configuration policies idea configured to detect different scenes), then scanning to detect suspicious look through the analysis of log and alarm. Below detection scheme, and scanning techniques for different scanning mode, a check using different detection schemes.
Scene 1: ICMP scanning trace check
test 1: OA credit disc production structures bbs.yasewl.com test site addresses
using ICMP echo or Broadcast ICMP host probing activities, will be configured with IPTABLES system recorded in the log
For Broadcast ICMP packet:
Iptable configured with the system, the configuration of the logging strategy is as follows:
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG
Discovery Protocol ICMP echo request type is a broadcast packet, when the recording of this type of package found alarm.
For ICMP echo packets:
1 idea:
If you can determine the IP address range of permitted use whitelist to detect suspicious behavior and alert;
2 ideas:
If you can not determine the IP address white list, look for non-working hours (such as late at night) record, if found suspicious behavior issue the corresponding alarm.
Scene 2: TCP Connect scanning traces of inspection
using the appropriate port and services to detect TCP three-way handshake is open
1 idea:
First, to maintain a whitelist port operating systems and business systems required for normal operation and opening up, and configure the appropriate iptables logging policy:
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j LOG
Find logging, the port is not in the white list if recorded in the log, the alarm.
2 ideas:
Statistical detection method, respectively, for the slow scan (1 hour to 2 days of a packet) and a conventional scan (1 minute to 1 hour will send packets N) arranged in two statistical detection method. For conventional scanning first, if found within the period of time (five minutes is recommended, selected from the range 1 to 60 minutes), recording a different target IP addresses from the same port count exceeds a certain threshold value (3 is recommended, recommendation range to a value> 3), the alarm, in steps of 5 minutes duration statistics log lookup; for the second slow scan, if a period of time (6 hours is recommended, optionally the range of 1 hour to 2 day), recording a different target port from the same IP address exceeds a certain count threshold (recommended value 3, suggested range to a value> 3), the alarm,
note: the time threshold and a particular value of the count threshold should be based on the actual situation set up
Scene 3: WEB scanning trace check
using the GET WEB server discovery request information server versions, vulnerabilities, and further exploit these vulnerabilities to enter service WEB Apache on linux, which will be recorded in the scanning WEB server log access.log, the characteristics evident. I.e., for 10 minutes to produce the same plurality of IP 10 get requests per second, it is clear that the web scanning traces. Time threshold may be used (5 minutes is recommended, recommendation range recommended in the range of 1-1440 min) and the count threshold (recommended value is 10, the range of recommended value> 3) to filter the IP request log analysis were scored whether or not to enter. Also, for SQL injection, XSS injection, command injection and scan path traversal WEB scored scan trace log according to a keyword to identify potential.
NOTE: The time threshold value and a particular threshold value, the count should be set according to the actual situation, and may change