Scan of the Month

Welcome to the 'Scan of the Month' challenge. The purpose of this monthly project is to help the security community develop the forensic and analysis skills to decode blackhat attacks. This is done by taking signatures we have captured in the wild and challenging the security community to decode the signatures. At the beginning of every month we will post a new attack/probe. At the end of the month we will post the results. Send all submissions via email to project@honeynet.org. Please send all submissions in .txt or .html format. If it is in .txt format, make sure it is formated for browsers.

Starting May, 2001, all submissions are rated as follows:

One point for each correctly answered question of the challenge
Detail of technical information and how correct it is (5 points).
Do you show the methods used to analyze the data and obtain your conclusions (5 points).
How easy is it to read and understand your submission, use of whitespace, format, organization, etc (5 points).

Scan of the Month - April.
Decode a successful NT attack with only a snort binary log capture for analysis. Submissions due No Later Then 17:00, 20 April.

Archives:

Scan 0: Packets crafted by Libnet
Scan 1: Potential hping2 scan
Scan 2: Mail Relay scans
Scan 3: nmap scanning for IP types
Scan 4: Large ICMP echo requests
Scan 5: Queso
Scan 6: Telnet negotiation
Scan 7: Microsoft Windows worms
Scan 8: FTP Frontpage scan
Scan 9: Cart32 Weserver scan
Scan 10: 2 Remote Exploits
Scan 11: Unique NT IIS probe
Scan 12: NT IIS Unicode attack
Scan 13: auto rooter

To help you decode the signatures, the following RFC's are provided. If you want to learn more about decoding TCP/IP, we highly recommend the book "TCP/IP Illustrated, Volume 1", by Richard Stevens

IP - RFC 791
ICMP - RFC 777
TCP - RFC 793
UDP - RFC 768