From breno.silva at gmail.com Sun Oct 11 18:35:55 2009 From: breno.silva at gmail.com (Breno Silva) Date: Sun, 11 Oct 2009 19:35:55 -0300 Subject: [Oisf-wg-portscan] Hey Message-ID: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Hey guys, Who is in the list ? I have a simple code to discuss with you Thanks Breno -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091011/03915520/attachment.html From shyaam at gmail.com Sun Oct 11 18:57:58 2009 From: shyaam at gmail.com (Shyaam Sundhar) Date: Sun, 11 Oct 2009 18:57:58 -0400 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Message-ID: Everyone is with you brotha! Sent from my iPhone On Oct 11, 2009, at 6:35 PM, Breno Silva wrote: > Hey guys, > > Who is in the list ? > > I have a simple code to discuss with you > > Thanks > > Breno > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan From breno.silva at gmail.com Sun Oct 11 19:15:35 2009 From: breno.silva at gmail.com (Breno Silva) Date: Sun, 11 Oct 2009 20:15:35 -0300 Subject: [Oisf-wg-portscan] Hey In-Reply-To: References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Message-ID: <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> Hey Shyaam! Good to hear from you! Lets wait more one day to hear from other guys cheers Breno On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar wrote: > Everyone is with you brotha! > > Sent from my iPhone > > On Oct 11, 2009, at 6:35 PM, Breno Silva wrote: > > > Hey guys, > > > > Who is in the list ? > > > > I have a simple code to discuss with you > > > > Thanks > > > > Breno > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091011/af4313d2/attachment.html From jonkman at jonkmans.com Sun Oct 11 19:21:04 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Sun, 11 Oct 2009 19:21:04 -0400 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> Message-ID: <4AD26860.8080909@jonkmans.com> There's a large number of people on here, we can't have everyone check in. :) What are you thinking about? Matt Breno Silva wrote: > Hey Shyaam! > > Good to hear from you! > > Lets wait more one day to hear from other guys > > cheers > > Breno > > On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > wrote: > > Everyone is with you brotha! > > Sent from my iPhone > > On Oct 11, 2009, at 6:35 PM, Breno Silva > wrote: > > > Hey guys, > > > > Who is in the list ? > > > > I have a simple code to discuss with you > > > > Thanks > > > > Breno > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From william.metcalf at gmail.com Sun Oct 11 23:40:58 2009 From: william.metcalf at gmail.com (Will Metcalf) Date: Sun, 11 Oct 2009 22:40:58 -0500 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <4AD26860.8080909@jonkmans.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> <4AD26860.8080909@jonkmans.com> Message-ID: I second this.... let's here what you've got to say Breno. I'm sure the others will catch up ;-)... Regards, Will On Sun, Oct 11, 2009 at 6:21 PM, Matt Jonkman wrote: > There's a large number of people on here, we can't have everyone check > in. :) > > What are you thinking about? > > Matt > > Breno Silva wrote: >> Hey Shyaam! >> >> Good to hear from you! >> >> Lets wait more one day to hear from other guys >> >> cheers >> >> Breno >> >> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > > wrote: >> >> ? ? Everyone is with you brotha! >> >> ? ? Sent from my iPhone >> >> ? ? On Oct 11, 2009, at 6:35 PM, Breno Silva > ? ? > wrote: >> >> ? ? > Hey guys, >> ? ? > >> ? ? > Who is in the list ? >> ? ? > >> ? ? > I have a simple code to discuss with you >> ? ? > >> ? ? > Thanks >> ? ? > >> ? ? > Breno >> ? ? > _______________________________________________ >> ? ? > Oisf-wg-portscan mailing list >> ? ? > Oisf-wg-portscan at openinfosecfoundation.org >> ? ? >> ? ? > >> ? ? http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> ? ? _______________________________________________ >> ? ? Oisf-wg-portscan mailing list >> ? ? Oisf-wg-portscan at openinfosecfoundation.org >> ? ? >> ? ? http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > From peterkycheung at gmail.com Sun Oct 11 23:55:44 2009 From: peterkycheung at gmail.com (Peter Cheung) Date: Mon, 12 Oct 2009 11:55:44 +0800 Subject: [Oisf-wg-portscan] Hey In-Reply-To: References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> <4AD26860.8080909@jonkmans.com> Message-ID: <4a3f9d390910112055k7c881d14s9d05d85b41abe979@mail.gmail.com> Hi all, I am newly joining this list and this is my first mesg received. What's up will be? Cheers.. ..Peter On Mon, Oct 12, 2009 at 11:40 AM, Will Metcalf wrote: > I second this.... let's here what you've got to say Breno. I'm sure > the others will catch up ;-)... > > Regards, > > Will > > On Sun, Oct 11, 2009 at 6:21 PM, Matt Jonkman > wrote: > > There's a large number of people on here, we can't have everyone check > > in. :) > > > > What are you thinking about? > > > > Matt > > > > Breno Silva wrote: > >> Hey Shyaam! > >> > >> Good to hear from you! > >> > >> Lets wait more one day to hear from other guys > >> > >> cheers > >> > >> Breno > >> > >> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >> > wrote: > >> > >> Everyone is with you brotha! > >> > >> Sent from my iPhone > >> > >> On Oct 11, 2009, at 6:35 PM, Breno Silva >> > wrote: > >> > >> > Hey guys, > >> > > >> > Who is in the list ? > >> > > >> > I have a simple code to discuss with you > >> > > >> > Thanks > >> > > >> > Breno > >> > _______________________________________________ > >> > Oisf-wg-portscan mailing list > >> > Oisf-wg-portscan at openinfosecfoundation.org > >> > >> > > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >> _______________________________________________ > >> Oisf-wg-portscan mailing list > >> Oisf-wg-portscan at openinfosecfoundation.org > >> > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Oisf-wg-portscan mailing list > >> Oisf-wg-portscan at openinfosecfoundation.org > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinformationsecurityfoundation.org > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091012/425c44e4/attachment-0001.html From gurvindersinghdahiya at gmail.com Mon Oct 12 01:03:07 2009 From: gurvindersinghdahiya at gmail.com (Gurvinder Singh) Date: Mon, 12 Oct 2009 08:03:07 +0300 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <4a3f9d390910112055k7c881d14s9d05d85b41abe979@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <65f41b5a0910111615p27b66c87x68fde00edf382a27@mail.gmail.com> <4AD26860.8080909@jonkmans.com> <4a3f9d390910112055k7c881d14s9d05d85b41abe979@mail.gmail.com> Message-ID: <4AD2B88B.6090602@gmail.com> Hi Breno, Looking forward to the code :) Cheers, Gurvinder Peter Cheung wrote: > Hi all, > > I am newly joining this list and this is my first mesg received. > > What's up will be? > > Cheers.. > > ..Peter > > On Mon, Oct 12, 2009 at 11:40 AM, Will Metcalf > > wrote: > > I second this.... let's here what you've got to say Breno. I'm sure > the others will catch up ;-)... > > Regards, > > Will > > On Sun, Oct 11, 2009 at 6:21 PM, Matt Jonkman > > wrote: > > There's a large number of people on here, we can't have everyone > check > > in. :) > > > > What are you thinking about? > > > > Matt > > > > Breno Silva wrote: > >> Hey Shyaam! > >> > >> Good to hear from you! > >> > >> Lets wait more one day to hear from other guys > >> > >> cheers > >> > >> Breno > >> > >> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > > >> >> wrote: > >> > >> Everyone is with you brotha! > >> > >> Sent from my iPhone > >> > >> On Oct 11, 2009, at 6:35 PM, Breno Silva > > >> >> wrote: > >> > >> > Hey guys, > >> > > >> > Who is in the list ? > >> > > >> > I have a simple code to discuss with you > >> > > >> > Thanks > >> > > >> > Breno > >> > _______________________________________________ > >> > Oisf-wg-portscan mailing list > >> > Oisf-wg-portscan at openinfosecfoundation.org > > >>

> > >> > > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >> _______________________________________________ > >> Oisf-wg-portscan mailing list > >> Oisf-wg-portscan at openinfosecfoundation.org > > >>

> > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >> > >> > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Oisf-wg-portscan mailing list > >> Oisf-wg-portscan at openinfosecfoundation.org > > >> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Open Information Security Foundation (OISF) > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > http://www.openinformationsecurityfoundation.org > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > ------------------------------------------------------------------------ > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > From jamie.riden at gmail.com Mon Oct 12 01:15:02 2009 From: jamie.riden at gmail.com (Jamie) Date: Mon, 12 Oct 2009 06:15:02 +0100 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Message-ID: I'm on this one. Cheers, Jamie Sent on the go On 11 Oct 2009, at 23:35, Breno Silva wrote: > Hey guys, > > Who is in the list ? > > I have a simple code to discuss with you > > Thanks > > Breno > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan From aditya1010 at gmail.com Mon Oct 12 01:17:08 2009 From: aditya1010 at gmail.com (AdityaK) Date: Mon, 12 Oct 2009 10:47:08 +0530 Subject: [Oisf-wg-portscan] Hey In-Reply-To: References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Message-ID: <2e18a850910112217o2f2dd14cg9fc846dad167a97@mail.gmail.com> I am on this so where is the beef aka code On Mon, Oct 12, 2009 at 10:45 AM, Jamie wrote: > I'm on this one. > > Cheers, > Jamie > > Sent on the go > > > On 11 Oct 2009, at 23:35, Breno Silva wrote: > > > Hey guys, > > > > Who is in the list ? > > > > I have a simple code to discuss with you > > > > Thanks > > > > Breno > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -- /ak Ignorance is Bliss ,Security is a Illusion -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091012/3348d3e4/attachment.html From poonaatsoc at gmail.com Mon Oct 12 02:26:26 2009 From: poonaatsoc at gmail.com (Anoop Saldanha) Date: Mon, 12 Oct 2009 11:56:26 +0530 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <2e18a850910112217o2f2dd14cg9fc846dad167a97@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <2e18a850910112217o2f2dd14cg9fc846dad167a97@mail.gmail.com> Message-ID: I am in too :) On Mon, Oct 12, 2009 at 10:47 AM, AdityaK wrote: > I am on this so where is the beef aka code > > On Mon, Oct 12, 2009 at 10:45 AM, Jamie wrote: > >> I'm on this one. >> >> Cheers, >> Jamie >> >> Sent on the go >> >> >> On 11 Oct 2009, at 23:35, Breno Silva wrote: >> >> > Hey guys, >> > >> > Who is in the list ? >> > >> > I have a simple code to discuss with you >> > >> > Thanks >> > >> > Breno >> > _______________________________________________ >> > Oisf-wg-portscan mailing list >> > Oisf-wg-portscan at openinfosecfoundation.org >> > >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> > > > > -- > /ak > > Ignorance is Bliss ,Security is a Illusion > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- Regards, Anoop Saldanha -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091012/48597ec2/attachment.html From jan.kaestner at siemens.com Mon Oct 12 03:54:00 2009 From: jan.kaestner at siemens.com (Kaestner, Jan) Date: Mon, 12 Oct 2009 09:54:00 +0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> Message-ID: I am on. With best regards, Jan Kaestner Siemens AG Industry Sector Industry Automation Division Industrial Automation Systems I IA AS RD DH K5 Oestliche Rheinbrueckenstr. 50 76187 Karlsruhe, Germany Tel.: +49 (721) 595-3138 mailto:jan.kaestner at siemens.com From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of Breno Silva Sent: Monday, October 12, 2009 12:36 AM To: DDoS and Portscan methods discussion Subject: [Oisf-wg-portscan] Hey Hey guys, Who is in the list ? I have a simple code to discuss with you Thanks Breno -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091012/5d0a7e6f/attachment-0001.html From jdickey at seven-sigma.com Mon Oct 12 05:58:14 2009 From: jdickey at seven-sigma.com (Jeff Dickey) Date: Mon, 12 Oct 2009 17:58:14 +0800 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <4AD26860.8080909@jonkmans.com> Message-ID: I think what Matt was trying to say was "hey, Breno, everybody with a technical interest in OISF is on the list; don't ask to ask - what's the code you've got?" But I'll join the flood anyway :-) On 12/10/09 07:21 , "Matt Jonkman" wrote: > There's a large number of people on here, we can't have everyone check > in. :) > > What are you thinking about? > > Matt > > Breno Silva wrote: >> Hey Shyaam! >> >> Good to hear from you! >> >> Lets wait more one day to hear from other guys >> >> cheers >> >> Breno >> >> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar > > wrote: >> >> Everyone is with you brotha! >> >> Sent from my iPhone >> >> On Oct 11, 2009, at 6:35 PM, Breno Silva > > wrote: >> >>> Hey guys, >>> >>> Who is in the list ? >>> >>> I have a simple code to discuss with you >>> >>> Thanks >>> >>> Breno >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >> >>> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Oisf-wg-portscan mailing list >> Oisf-wg-portscan at openinfosecfoundation.org >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -- Jeff Dickey http://archlever.blogspot.com/ Email: jdickey at seven-sigma.com Phone/SMS: +65 8333 4403 Skype: jeff_dickey LinkedIn: jdickey Yahoo! IM: jeff_dickey MSN IM: jeff_dickey at hotmail.com (for IM only, please) ICQ: 8053918 QQ: 30302349 GnuPG key: Fingerprint D367 FB97 4E59 BEC0 8EBC D8E3 3BD4 7D4C DFE0 6488 Valid from 01 July 2009 to 31 December 2009 Download from http://tr.im/qqQa From jonkman at jonkmans.com Mon Oct 12 09:03:40 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 12 Oct 2009 09:03:40 -0400 Subject: [Oisf-wg-portscan] Hey In-Reply-To: References: Message-ID: <4AD3292C.8070702@jonkmans.com> Yes! We have all the right people here. Shoot us your idea! Matt Jeff Dickey wrote: > I think what Matt was trying to say was "hey, Breno, everybody with a > technical interest in OISF is on the list; don't ask to ask - what's the > code you've got?" > > But I'll join the flood anyway :-) > > > On 12/10/09 07:21 , "Matt Jonkman" wrote: > >> There's a large number of people on here, we can't have everyone check >> in. :) >> >> What are you thinking about? >> >> Matt >> >> Breno Silva wrote: >>> Hey Shyaam! >>> >>> Good to hear from you! >>> >>> Lets wait more one day to hear from other guys >>> >>> cheers >>> >>> Breno >>> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >> > wrote: >>> >>> Everyone is with you brotha! >>> >>> Sent from my iPhone >>> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >> > wrote: >>> >>>> Hey guys, >>>> >>>> Who is in the list ? >>>> >>>> I have a simple code to discuss with you >>>> >>>> Thanks >>>> >>>> Breno >>>> _______________________________________________ >>>> Oisf-wg-portscan mailing list >>>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From breno.silva at gmail.com Mon Oct 12 11:57:44 2009 From: breno.silva at gmail.com (Breno Silva) Date: Mon, 12 Oct 2009 12:57:44 -0300 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <4AD3292C.8070702@jonkmans.com> References: <4AD3292C.8070702@jonkmans.com> Message-ID: <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> Hi Guys Good to hear from you. I?m sending two simples codes for discussion if it can be used as a part of future ddos detection engine. The idea is create something to measure the traffic entropy. Most of ddos attacks change (decrease) the entropy of certain traffic. This is a pseudo-code to implement the idea: for_each_packet() { case udp: udp_packet[dest port]->count_bit_1_for_the_packet udp_packet[dest port]->store_sddr_daddr_ports_etc alfa += apply_the_algorithm_for_the_packet(udp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += udp_packet[dest port]->count_bit_1_for_the_packet case tcp: tcp_packet[dest port]->count_bit_1_for_the_packet tcp_packet[dest port]->store_sddr_daddr_ports_etc apply_the_algorithm_for_the_packet(tcp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += tcp_packet[dest port]->count_bit_1_for_the_packet if(we_have_200_packets_in_this_port) { beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest port]->countbit1total) if(beta < alfa) { attack detected } else { normal traffic } } } where apply_the_algorithm_for_the_packet : (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); and apply_the_algorithm_for_the_all_packets : (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); I will try to explain the idea behind the algorithm... Suppose we have 3 complex strings: X, Y and Z So... if we can calculate the complexity for each string using some fomula C(x), for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and concatenate them ... you will have something much more complex (C(XYZ)) make sense ? This is how the algorithm works for ddos detection... measuring a normal traffic in a port number .. we will see a lot of random payloads... and during an attack.. it will change (if the attacker does not random the payload). So.. for a normal traffic: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) =< All_complexity(Packet1+Packet2+PacketN) and for a ddos: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > All_complexity(Packet1+Packet2+PacketN) /* Here we are simulating a normal traffic * each bitone represents the distribution of bit 1 in each packet payload * and in this case the value of bitone is random * */ #include #include float NUM_PKT_POLL = 10; // Number of packets to process in each port number float PKT_BYTES = 32; // payload bytes to count the bit 1 float countonetotal = 0; float THR = 0.3; // I will explain it later float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } ************************** ********* CODE *********** /* This is the same code ... but simulating a ddos attack */ #include #include float NUM_PKT_POLL = 10; float PKT_BYTES = 32; float countonetotal = 0; float THR = 0.3; float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman wrote: > Yes! We have all the right people here. Shoot us your idea! > > Matt > > Jeff Dickey wrote: > > I think what Matt was trying to say was "hey, Breno, everybody with a > > technical interest in OISF is on the list; don't ask to ask - what's the > > code you've got?" > > > > But I'll join the flood anyway :-) > > > > > > On 12/10/09 07:21 , "Matt Jonkman" wrote: > > > >> There's a large number of people on here, we can't have everyone check > >> in. :) > >> > >> What are you thinking about? > >> > >> Matt > >> > >> Breno Silva wrote: > >>> Hey Shyaam! > >>> > >>> Good to hear from you! > >>> > >>> Lets wait more one day to hear from other guys > >>> > >>> cheers > >>> > >>> Breno > >>> > >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >>> > wrote: > >>> > >>> Everyone is with you brotha! > >>> > >>> Sent from my iPhone > >>> > >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >>> > wrote: > >>> > >>>> Hey guys, > >>>> > >>>> Who is in the list ? > >>>> > >>>> I have a simple code to discuss with you > >>>> > >>>> Thanks > >>>> > >>>> Breno > >>>> _______________________________________________ > >>>> Oisf-wg-portscan mailing list > >>>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091012/2553018c/attachment-0001.html From tomb at byrneit.net Sat Oct 24 13:10:47 2009 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Sat, 24 Oct 2009 10:10:47 -0700 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <2e18a850910112217o2f2dd14cg9fc846dad167a97@mail.gmail.com> References: <65f41b5a0910111535m1b8fe8aal8b461a1f72b01b33@mail.gmail.com> <2e18a850910112217o2f2dd14cg9fc846dad167a97@mail.gmail.com> Message-ID: <70D072392E56884193E3D2DE09C097A9381E9D@pascal.zaphodb.org> 0BADBEEF ;-) From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of AdityaK Sent: Sunday, October 11, 2009 10:17 PM To: DDoS and Portscan methods discussion Subject: Re: [Oisf-wg-portscan] Hey I am on this so where is the beef aka code On Mon, Oct 12, 2009 at 10:45 AM, Jamie wrote: I'm on this one. Cheers, Jamie Sent on the go On 11 Oct 2009, at 23:35, Breno Silva wrote: > Hey guys, > > Who is in the list ? > > I have a simple code to discuss with you > > Thanks > > Breno > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan _______________________________________________ Oisf-wg-portscan mailing list Oisf-wg-portscan at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -- /ak Ignorance is Bliss ,Security is a Illusion -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091024/c78ae69c/attachment.html From tomb at byrneit.net Sat Oct 24 13:15:56 2009 From: tomb at byrneit.net (Tomas L. Byrnes) Date: Sat, 24 Oct 2009 10:15:56 -0700 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> Message-ID: <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> I think the problem with this is that you're assuming that the PAYLOAD of traffic to a given port, especially UDP is highly random in the case of normal traffic, and highly self-similar in the case of (D)DOS. This is not true, especially for widely used services such as DNS. The vast majority of DNS packets are HIGHLY self-similar, especially the ones to/from Authoritative Nameservers, which are usually answering queries for the exact same RRSETs all the time. From: oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto:oisf-wg-portscan-bounces at openinfosecfoundation.org] On Behalf Of Breno Silva Sent: Monday, October 12, 2009 8:58 AM To: DDoS and Portscan methods discussion Subject: Re: [Oisf-wg-portscan] Hey Hi Guys Good to hear from you. I?m sending two simples codes for discussion if it can be used as a part of future ddos detection engine. The idea is create something to measure the traffic entropy. Most of ddos attacks change (decrease) the entropy of certain traffic. This is a pseudo-code to implement the idea: for_each_packet() { case udp: udp_packet[dest port]->count_bit_1_for_the_packet udp_packet[dest port]->store_sddr_daddr_ports_etc alfa += apply_the_algorithm_for_the_packet(udp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += udp_packet[dest port]->count_bit_1_for_the_packet case tcp: tcp_packet[dest port]->count_bit_1_for_the_packet tcp_packet[dest port]->store_sddr_daddr_ports_etc apply_the_algorithm_for_the_packet(tcp_packet[dest port]->count_bit_1_for_the_packet) countbit1total[dest port] += tcp_packet[dest port]->count_bit_1_for_the_packet if(we_have_200_packets_in_this_port) { beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest port]->countbit1total) if(beta < alfa) { attack detected } else { normal traffic } } } where apply_the_algorithm_for_the_packet : (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); and apply_the_algorithm_for_the_all_packets : (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); I will try to explain the idea behind the algorithm... Suppose we have 3 complex strings: X, Y and Z So... if we can calculate the complexity for each string using some fomula C(x), for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and concatenate them ... you will have something much more complex (C(XYZ)) make sense ? This is how the algorithm works for ddos detection... measuring a normal traffic in a port number .. we will see a lot of random payloads... and during an attack.. it will change (if the attacker does not random the payload). So.. for a normal traffic: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) =< All_complexity(Packet1+Packet2+PacketN) and for a ddos: Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > All_complexity(Packet1+Packet2+PacketN) /* Here we are simulating a normal traffic * each bitone represents the distribution of bit 1 in each packet payload * and in this case the value of bitone is random * */ #include #include float NUM_PKT_POLL = 10; // Number of packets to process in each port number float PKT_BYTES = 32; // payload bytes to count the bit 1 float countonetotal = 0; float THR = 0.3; // I will explain it later float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } ************************** ********* CODE *********** /* This is the same code ... but simulating a ddos attack */ #include #include float NUM_PKT_POLL = 10; float PKT_BYTES = 32; float countonetotal = 0; float THR = 0.3; float bitone = 0; int main() { int i; float kolmogorov_total = 0; float kolmogorov_packet = 0; bitone = 200; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 200; bitone = 122; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 122; bitone = 140; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 140; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += 150; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; bitone = 150; kolmogorov_packet += (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) + log((PKT_BYTES*8))/log(2); countonetotal += bitone; kolmogorov_total = (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) - (1 - ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); if(kolmogorov_total < kolmogorov_packet) printf("ATTACK DETECTED\n"); else printf("NORMAL TRAFFIC\n"); } On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman wrote: Yes! We have all the right people here. Shoot us your idea! Matt Jeff Dickey wrote: > I think what Matt was trying to say was "hey, Breno, everybody with a > technical interest in OISF is on the list; don't ask to ask - what's the > code you've got?" > > But I'll join the flood anyway :-) > > > On 12/10/09 07:21 , "Matt Jonkman" wrote: > >> There's a large number of people on here, we can't have everyone check >> in. :) >> >> What are you thinking about? >> >> Matt >> >> Breno Silva wrote: >>> Hey Shyaam! >>> >>> Good to hear from you! >>> >>> Lets wait more one day to hear from other guys >>> >>> cheers >>> >>> Breno >>> >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >> > wrote: >>> >>> Everyone is with you brotha! >>> >>> Sent from my iPhone >>> >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >> > wrote: >>> >>>> Hey guys, >>>> >>>> Who is in the list ? >>>> >>>> I have a simple code to discuss with you >>>> >>>> Thanks >>>> >>>> Breno >>>> _______________________________________________ >>>> Oisf-wg-portscan mailing list >>>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Oisf-wg-portscan mailing list >>> Oisf-wg-portscan at openinfosecfoundation.org >>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -- -------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinformationsecurityfoundation.org -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Oisf-wg-portscan mailing list Oisf-wg-portscan at openinfosecfoundation.org http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091024/0f13437e/attachment-0001.html From breno.silva at gmail.com Sun Oct 25 08:22:28 2009 From: breno.silva at gmail.com (Breno Silva) Date: Sun, 25 Oct 2009 11:22:28 -0200 Subject: [Oisf-wg-portscan] Hey In-Reply-To: <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> References: <4AD3292C.8070702@jonkmans.com> <65f41b5a0910120857o76860ceam8ee1734fa7019f76@mail.gmail.com> <70D072392E56884193E3D2DE09C097A9381E9E@pascal.zaphodb.org> Message-ID: <65f41b5a0910250622qc15513jb35c7b116464a09a@mail.gmail.com> Hi Tomas, I have a implementation of this in my internal and external network. However my internal network is very big and my external is AS7738 and AS8167. In both cases it is working well, almost wiithout false positives and good rate of attack detection. But in both cases the traffic is highly random (internal is less random) ... but working well However i never tested it in a small LAN. If you have one i can send you a code for testing. What do you think ? Thanks Breno On Sat, Oct 24, 2009 at 3:15 PM, Tomas L. Byrnes wrote: > I think the problem with this is that you?re assuming that the PAYLOAD of > traffic to a given port, especially UDP is highly random in the case of > normal traffic, and highly self-similar in the case of (D)DOS. > > > > This is not true, especially for widely used services such as DNS. The vast > majority of DNS packets are HIGHLY self-similar, especially the ones to/from > Authoritative Nameservers, which are usually answering queries for the exact > same RRSETs all the time. > > > > > > > > *From:* oisf-wg-portscan-bounces at openinfosecfoundation.org [mailto: > oisf-wg-portscan-bounces at openinfosecfoundation.org] *On Behalf Of *Breno > Silva > *Sent:* Monday, October 12, 2009 8:58 AM > > *To:* DDoS and Portscan methods discussion > *Subject:* Re: [Oisf-wg-portscan] Hey > > > > Hi Guys > > > > Good to hear from you. > > I?m sending two simples codes for discussion if it can be used > as a part of future ddos detection engine. > > The idea is create something to measure the traffic entropy. Most of > ddos attacks change (decrease) the entropy of certain traffic. > > This is a pseudo-code to implement the idea: > > > > for_each_packet() { > > case udp: > udp_packet[dest port]->count_bit_1_for_the_packet > udp_packet[dest port]->store_sddr_daddr_ports_etc > alfa += apply_the_algorithm_for_the_packet(udp_packet[dest > port]->count_bit_1_for_the_packet) > countbit1total[dest port] += udp_packet[dest > port]->count_bit_1_for_the_packet > > case tcp: > tcp_packet[dest port]->count_bit_1_for_the_packet > tcp_packet[dest port]->store_sddr_daddr_ports_etc > apply_the_algorithm_for_the_packet(tcp_packet[dest > port]->count_bit_1_for_the_packet) > countbit1total[dest port] += tcp_packet[dest > port]->count_bit_1_for_the_packet > > if(we_have_200_packets_in_this_port) > { > beta = apply_the_algorithm_for_the_all_packets(udp_packet[dest > port]->countbit1total) > > if(beta < alfa) > { > attack detected > } > else { > normal traffic > } > } > } > > > where > > > apply_the_algorithm_for_the_packet : > > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > and > > apply_the_algorithm_for_the_all_packets : > > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > > I will try to explain the idea behind the algorithm... > > Suppose we have 3 complex strings: X, Y and Z > So... if we can calculate the complexity for each string using some fomula > C(x), > > for a random/very complex string we have : C(X) + C(Y) + C(Z) < C(XYZ) > > in other words .. if you have 3 complex things (C(x) C(y) c(z)) .. and > concatenate them ... you will have something much more complex (C(XYZ)) > > make sense ? > > > This is how the algorithm works for ddos detection... measuring a normal > traffic in a port number .. we will see a lot of random payloads... and > during an attack.. it will change (if the attacker does not random the > payload). > > So.. for a normal traffic: > > Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > =< All_complexity(Packet1+Packet2+PacketN) > > and for a ddos: > > Complexity_of(Packet1) + Complexity_of(Packet2) + Complexity_of(PacketN) > > All_complexity(Packet1+Packet2+PacketN) > > > > > > /* Here we are simulating a normal traffic > * each bitone represents the distribution of bit 1 in each packet payload > * and in this case the value of bitone is random > * > */ > > #include > #include > > float NUM_PKT_POLL = 10; // Number of packets to process in each port > number > float PKT_BYTES = 32; // payload bytes to count the bit 1 > float countonetotal = 0; > float THR = 0.3; // I will explain it later > float bitone = 0; > > int main() > { > int i; > float kolmogorov_total = 0; > float kolmogorov_packet = 0; > > bitone = 200; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > countonetotal += 200; > bitone = 122; > > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 122; > > bitone = 140; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 140; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > kolmogorov_total = > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > if(kolmogorov_total < kolmogorov_packet) > printf("ATTACK DETECTED\n"); > else > printf("NORMAL TRAFFIC\n"); > } > > ************************** > > > > ********* CODE *********** > > > /* This is the same code ... but simulating a ddos attack > */ > > > #include > #include > > float NUM_PKT_POLL = 10; > float PKT_BYTES = 32; > float countonetotal = 0; > float THR = 0.3; > float bitone = 0; > > int main() > { > int i; > float kolmogorov_total = 0; > float kolmogorov_packet = 0; > > bitone = 200; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > > countonetotal += 200; > bitone = 122; > > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 122; > > bitone = 140; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 140; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += 150; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > bitone = 150; > kolmogorov_packet += > (PKT_BYTES*8)*(((-(bitone)/(PKT_BYTES*8))*(log((bitone)/(PKT_BYTES*8))/log(2)) > - (1 - ((bitone)/(PKT_BYTES*8)))*(log(1-((bitone)/(PKT_BYTES*8)))/log(2)))) > + log((PKT_BYTES*8))/log(2); > countonetotal += bitone; > > kolmogorov_total = > (PKT_BYTES*8*NUM_PKT_POLL)*(((-(countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))*(log((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL))/log(2)) > - (1 - > ((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))*(log(1-((countonetotal)/(PKT_BYTES*8*NUM_PKT_POLL)))/log(2)))) > + log((PKT_BYTES*8*NUM_PKT_POLL))/log(2); > > if(kolmogorov_total < kolmogorov_packet) > printf("ATTACK DETECTED\n"); > else > printf("NORMAL TRAFFIC\n"); > } > > On Mon, Oct 12, 2009 at 10:03 AM, Matt Jonkman > wrote: > > Yes! We have all the right people here. Shoot us your idea! > > Matt > > > Jeff Dickey wrote: > > I think what Matt was trying to say was "hey, Breno, everybody with a > > technical interest in OISF is on the list; don't ask to ask - what's the > > code you've got?" > > > > But I'll join the flood anyway :-) > > > > > > On 12/10/09 07:21 , "Matt Jonkman" wrote: > > > >> There's a large number of people on here, we can't have everyone check > >> in. :) > >> > >> What are you thinking about? > >> > >> Matt > >> > >> Breno Silva wrote: > >>> Hey Shyaam! > >>> > >>> Good to hear from you! > >>> > >>> Lets wait more one day to hear from other guys > >>> > >>> cheers > >>> > >>> Breno > >>> > >>> On Sun, Oct 11, 2009 at 7:57 PM, Shyaam Sundhar >>> > wrote: > >>> > >>> Everyone is with you brotha! > >>> > >>> Sent from my iPhone > >>> > >>> On Oct 11, 2009, at 6:35 PM, Breno Silva >>> > wrote: > >>> > >>>> Hey guys, > >>>> > >>>> Who is in the list ? > >>>> > >>>> I have a simple code to discuss with you > >>>> > >>>> Thanks > >>>> > >>>> Breno > >>>> _______________________________________________ > >>>> Oisf-wg-portscan mailing list > >>>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Oisf-wg-portscan mailing list > >>> Oisf-wg-portscan at openinfosecfoundation.org > >>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Open Information Security Foundation (OISF) > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > http://www.openinformationsecurityfoundation.org > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20091025/1acde2ae/attachment-0001.html