Welcome to the 'Scan of the Month' challenge. The purpose of this monthly project is to help the security community develop the forensic and analysis skills to decode blackhat attacks. This is done by taking signatures we have captured in the wild and challenging the security community to decode the signatures. At the beginning of every month we will post a new attack/probe. At the end of the month we will post the results. Send all submissions via email to project@honeynet.org. Please send all submissions in .txt or .html format. If it is in .txt format, make sure it is formated for browsers.
Starting May, 2001, all submissions are rated as follows:
Scan 0: Packets crafted by Libnet Scan 1: Potential hping2 scan Scan 2: Mail Relay scans Scan 3: nmap scanning for IP types Scan 4: Large ICMP echo requests Scan 5: Queso Scan 6: Telnet negotiation Scan 7: Microsoft Windows worms Scan 8: FTP Frontpage scan Scan 9: Cart32 Weserver scan |
Scan 10: 2 Remote Exploits Scan 11: Unique NT IIS probe Scan 12: NT IIS Unicode attack Scan 13: auto rooter |
To help you decode the signatures, the following RFC's are provided. If you want to learn more about
decoding TCP/IP, we highly recommend the book "TCP/IP Illustrated, Volume 1", by Richard Stevens
IP - RFC 791
ICMP - RFC 777
TCP - RFC 793
UDP - RFC 768