soyMAIL 2.1.0 requires JavaScript
soyMAIL @ wasd.vsm.com.au
       info-WASD Mailing List 2025 

Sun 07:11:50 Message "2025 / 0003" opened.  MIME.  utf-8.  4 attachment(s).  5 part(s).  1222 kbytes.    JavaScript

Subject:[Info-WASD] INTRUspect - browser based intrusion reporting0003 / 0000
From:mark.daniel@wasd.vsm.com.au
Reply-to:info-wasd@vsm.com.au
Date:Wed, 12 Mar 2025 14:28:31 +1030  [12-MAR-2025 14:29]
To:info-WASD@vsm.com.au

WASD provides an intrusion reporting application.

An observational aid to system intrusions.  It processes the sort of data
available via the DCL "SHOW INTRUSION" command (SECURITY privilege required),
parsing the essentially free-form elements in those report lines into more
easily viewed and assimilated data, along with additional elements such as
resolved host domain names and geolocation.  Absence of a standard format
leads to some variation in interpretation. 

INTRUspect, using basic intrusion data similar to the following ...

|$ SHOW INTRUSION
|Intrusion       Type       Count        Expiration         Source
|---------       ----       -----        ----------         ------
|   NETWORK      SUSPECT       1   26-FEB-2025 20:48:15.53  61.169.54.150::JOSELUIS
|   NETWORK      SUSPECT       1   26-FEB-2025 20:48:58.06  131.221.133.6::HEY
|   NETWORK      SUSPECT       1   26-FEB-2025 20:45:17.74  103.218.133.106::MICKEY
8< snip 8<
|   NETWORK      SUSPECT       2   26-FEB-2025 20:47:17.52  113.11.34.221::TESTING
|   NETWORK      SUSPECT       1   26-FEB-2025 20:46:06.17  60.223.251.132::AHMED
|   NETWORK      SUSPECT       1   26-FEB-2025 20:45:45.32  188.247.49.186::KIRAN

... produces a browser page laid out as a table with columns presenting the
parsed and additional data, again similar to the following;

|    Type   Class  Network                      Source   Ident    Count  Delta   Noticed         Expires
|    ~~~~~  ~~~~~  ~~~~~~~                      ~~~~~~   ~~~~~    ~~~~~  ~~~~~   ~~~~~~~         ~~~~~~~
|1.  SUSP   NETW   61.169.54.150	        n/a      JOSELUIS     1      0   20:49:00   –2   20:53:59  +04:57
|                  China / Shanghai / Shanghai
|2.  SUSP   NETW   6-133-221-131.dynamic.       n/a      HEY          1      0   20:48:51  –11   20:53:51  +04:49
|                  v1telecom.com.br
|                  (131.221.133.6)
|                  Brazil / Rio de Janeiro / Seropédica
|3.  SUSP   NETW   103.218.133.106              n/a      MICKEY       1      0   20:48:47  –15   20:53:46  +04:44
|                  India / Tamil Nadu / Chennai
8< snip 8<
|7.  SUSP   NETW   113-11-34-221-smile.com.bd   n/a      TESTING      2      1   20:48:41  –21   20:53:40  +04:39
|                  (113.11.34.221)
|                  Bangladesh / Dhaka Division / Dhaka
|8.  SUSP   NETW   132.251.223.60.adsl-         n/a      AHMED        1      0   20:55:33  –43   21:00:32  +04:17
|                  pool.sx.cn (60.223.251.132)
|                  China / Shanxi / Liuxiang
|9.  SUSP   NETW   188.247.49.186               n/a      KIRAN        1      0   20:55:17  –59   21:00:16  +04:01
|                  Russia / Volgograd Oblast / Volzhsky

  ꙳꙳ These data taken as plain-text from an INTRUspect page are
     illustrative only.  All of these elements can be better seen at
     https://wasd.vsm.com.au/wasd_root/src/intruspect/intruspect.png
     or with the attachments.

Description
~~~~~~~~~~~
As illustrated, if an intrusion record contains anything resembling an IP
address, or even domain name, it is resolved and (if configured) network
geolocation (country / region / city) presented below the address.  The
network column can be quite congested and so frequently wraps constraining
horizontal space.

Type and Class are self-explanatory.  Source, not always present, can provide
information such as "SSH-PASSSWORD".  Ident is the username parsed from the
datum.  Also not always present.  Count and Delta represent the number of
intrusion attempts and any recent change in count.  Noticed, comprises the
VMS time the intrusion occurred, followed by the number of seconds or minutes
ago that was.  Expires, the VMS time the intrusion becomes invalid, followed
by the number of seconds or minutes before that happens.

Below the basic platform data at the top of the page are intrusion *rate*
accumulated counts (not illustrated above) organised as 1 (current) to 12
(least current) in three rows; the first representing the most recent 12
minutes, the second row as 12 groups of 5 minutes (most recent hour), and the
third the most recent 12 hours.

INTRUspect continues collecting until [x]Collect is unchecked, or the browser
exhausts its available resources.  [Print] is available at any time.

Real World
~~~~~~~~~~
An interesting exercise with Internet connected systems; watching obviously
coordinated attacks from geographically diverse locations.  Also, targeted
attacks containing usernames known or imagined to be associated with the
particular system (e.g. MARK.DANIEL, INFO-WASD, SYSTEM).  Three days later
(a benefit of employing strong passwords):

        230 login failures since last successful login

The attached data, courtesy DECUServe.org, shows *starkly* differing
intrusion profiles 24 hours apart.  Nearly one attack every second on the
'28th'.  Barely any a day later, the '1st'.  This suggests a coordinated,
multi-geographic attack orchestrated by a *single* actor.

  ꙳꙳꙳ The 28th attachment shows geolocation data as "(waiting...)".
      INTRUspect employs a free, rate-limited service that due to the
      number of new intrusion instances was always bumping up against
      the per-minute limit.

More recent data gathered on DECUServe, the '5th' attachment, attack
returned/continued at full tilt, was corroborated by the system manager (HG
for those who know DECUServe), with the primary vector being SMTP (port 25)
AUTH/SASL authorisation.

  https://en.wikipedia.org/wiki/SMTP_Authentication

Maximum 427 *active* intrusions.  After SMTP AUTH disabled, basically none,
the '6th' attachment.  Cost/benefit analysis ... almost zero impact on
DECUServe mail users, almost 100% on attacker.  SMTP AUTH remains disabled.

Further Information
~~~~~~~~~~~~~~~~~~~
https://wasd.vsm.com.au/wasd_root/src/intruspect/readmore.html

https://wasd.vsm.com.au/wasd/

This item is one of a collection at
https://wasd.vsm.com.au/other/#occasional

  ¤¤¤       
  ¤¤¤     
  ¤¤¤     
Image: 1st click 100%, 2nd actual size, 3rd default again
  ¤¤¤     
  ¤¤¤     
  ¤¤¤