WASD provides an intrusion reporting application.
An observational aid to system intrusions. It processes the sort of data
available via the DCL "SHOW INTRUSION" command (SECURITY privilege required),
parsing the essentially free-form elements in those report lines into more
easily viewed and assimilated data, along with additional elements such as
resolved host domain names and geolocation. Absence of a standard format
leads to some variation in interpretation.
INTRUspect, using basic intrusion data similar to the following ...
|$ SHOW INTRUSION
|Intrusion Type Count Expiration Source
|--------- ---- ----- ---------- ------
| NETWORK SUSPECT 1 26-FEB-2025 20:48:15.53 61.169.54.150::JOSELUIS
| NETWORK SUSPECT 1 26-FEB-2025 20:48:58.06 131.221.133.6::HEY
| NETWORK SUSPECT 1 26-FEB-2025 20:45:17.74 103.218.133.106::MICKEY
8< snip 8<
| NETWORK SUSPECT 2 26-FEB-2025 20:47:17.52 113.11.34.221::TESTING
| NETWORK SUSPECT 1 26-FEB-2025 20:46:06.17 60.223.251.132::AHMED
| NETWORK SUSPECT 1 26-FEB-2025 20:45:45.32 188.247.49.186::KIRAN
... produces a browser page laid out as a table with columns presenting the
parsed and additional data, again similar to the following;
| Type Class Network Source Ident Count Delta Noticed Expires
| ~~~~~ ~~~~~ ~~~~~~~ ~~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~~~ ~~~~~~~
|1. SUSP NETW 61.169.54.150 n/a JOSELUIS 1 0 20:49:00 –2 20:53:59 +04:57
| China / Shanghai / Shanghai
|2. SUSP NETW 6-133-221-131.dynamic. n/a HEY 1 0 20:48:51 –11 20:53:51 +04:49
| v1telecom.com.br
| (131.221.133.6)
| Brazil / Rio de Janeiro / Seropédica
|3. SUSP NETW 103.218.133.106 n/a MICKEY 1 0 20:48:47 –15 20:53:46 +04:44
| India / Tamil Nadu / Chennai
8< snip 8<
|7. SUSP NETW 113-11-34-221-smile.com.bd n/a TESTING 2 1 20:48:41 –21 20:53:40 +04:39
| (113.11.34.221)
| Bangladesh / Dhaka Division / Dhaka
|8. SUSP NETW 132.251.223.60.adsl- n/a AHMED 1 0 20:55:33 –43 21:00:32 +04:17
| pool.sx.cn (60.223.251.132)
| China / Shanxi / Liuxiang
|9. SUSP NETW 188.247.49.186 n/a KIRAN 1 0 20:55:17 –59 21:00:16 +04:01
| Russia / Volgograd Oblast / Volzhsky
꙳꙳ These data taken as plain-text from an INTRUspect page are
illustrative only. All of these elements can be better seen at
https://wasd.vsm.com.au/wasd_root/src/intruspect/intruspect.png
or with the attachments.
Description
~~~~~~~~~~~
As illustrated, if an intrusion record contains anything resembling an IP
address, or even domain name, it is resolved and (if configured) network
geolocation (country / region / city) presented below the address. The
network column can be quite congested and so frequently wraps constraining
horizontal space.
Type and Class are self-explanatory. Source, not always present, can provide
information such as "SSH-PASSSWORD". Ident is the username parsed from the
datum. Also not always present. Count and Delta represent the number of
intrusion attempts and any recent change in count. Noticed, comprises the
VMS time the intrusion occurred, followed by the number of seconds or minutes
ago that was. Expires, the VMS time the intrusion becomes invalid, followed
by the number of seconds or minutes before that happens.
Below the basic platform data at the top of the page are intrusion *rate*
accumulated counts (not illustrated above) organised as 1 (current) to 12
(least current) in three rows; the first representing the most recent 12
minutes, the second row as 12 groups of 5 minutes (most recent hour), and the
third the most recent 12 hours.
INTRUspect continues collecting until [x]Collect is unchecked, or the browser
exhausts its available resources. [Print] is available at any time.
Real World
~~~~~~~~~~
An interesting exercise with Internet connected systems; watching obviously
coordinated attacks from geographically diverse locations. Also, targeted
attacks containing usernames known or imagined to be associated with the
particular system (e.g. MARK.DANIEL, INFO-WASD, SYSTEM). Three days later
(a benefit of employing strong passwords):
230 login failures since last successful login
The attached data, courtesy DECUServe.org, shows *starkly* differing
intrusion profiles 24 hours apart. Nearly one attack every second on the
'28th'. Barely any a day later, the '1st'. This suggests a coordinated,
multi-geographic attack orchestrated by a *single* actor.
꙳꙳꙳ The 28th attachment shows geolocation data as "(waiting...)".
INTRUspect employs a free, rate-limited service that due to the
number of new intrusion instances was always bumping up against
the per-minute limit.
More recent data gathered on DECUServe, the '5th' attachment, attack
returned/continued at full tilt, was corroborated by the system manager (HG
for those who know DECUServe), with the primary vector being SMTP (port 25)
AUTH/SASL authorisation.
https://en.wikipedia.org/wiki/SMTP_Authentication
Maximum 427 *active* intrusions. After SMTP AUTH disabled, basically none,
the '6th' attachment. Cost/benefit analysis ... almost zero impact on
DECUServe mail users, almost 100% on attacker. SMTP AUTH remains disabled.
Further Information
~~~~~~~~~~~~~~~~~~~
https://wasd.vsm.com.au/wasd_root/src/intruspect/readmore.html
https://wasd.vsm.com.au/wasd/
This item is one of a collection at
https://wasd.vsm.com.au/other/#occasional
|