- In this instance, the suspect had been visiting very specific web sites, however he wiped his Internet History and “scrubbed” his hard drive after every attempt. The Internet Firewall Logs could provide you with data of where he was visiting.
2014-06-11 13:42:46 CLOSE TCP 5.1.2.140 171.161.161.173 3054 80 - - - - - - - - -
2014-06-11 13:42:46 OPEN TCP 5.1.2.140 171.161.161.173 3056 443 - - - - - - -
Detection of Port Scanning
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4884 83 48 S 1714153331 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4885 941 48 S 1344758057 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4886 2433 48 S 2885764181 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4887 2433 48 S 162617412 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4888 941 48 S 1655770406 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4889 83 48 S 4255030500 0 65535 - - - RECEIVE
2014-06-13 10:08:59 DROP TCP 29.39.187.22 29.39.187.182 4890 714 48 S 4125832776 0 65535 - - - RECEIVE
Finding Port Scanning
- We can look for two types of scans:
- Horizontal (Same port, many different machines)
- Vertical (Same machine, many different ports)
- Each type leaves a different signature in the logs
- Import logs into Excel
Examining Scans Data
- Import firewall logs into Excel
- This makes scans easy to spot manually
 |
| Horizontal Scans |
 |
| Vertical Scans |