Overview

This Document describes the attacks used in the two weeks of test data. The first section is an overview of the attacks themselves. It gives a detailed explanation of each attack, describes the categories we used to classify the attacks, and describes the various ways an attack can run. The second section lists every attack in the test data and specific attributes of each attack.

Attack Overview

This section describes the attacks and how they were run. If first defines the four classes of attacks and lists which attacks are in each class. Next it gives a detailed explanation of each attack. Finally, it defines the different ways an attack may be carried out, such as steps taken to make the attack stealthy or the actions taken once the attack has succeeded.

Attack Classification

User=>Root An attacker who has access to a local account on a computer system is able to elevate his or her privileges by exploiting a bug in the operating system or a program that is installed on the system. 
Remote=>Local An attacker who has the ability to send packets to a machine over a network (but who does not have an account on that machine), gains local access (either as a user or as root) to that machine. 
Surveillance/Probing An attacker uses network services to collect information about a host (such as what services it offers, or what users have accounts on the machine). Such information can often be useful in staging a later attack. 
Denial Of Service An attacker who has the ability to send packets to a machine denies others access to the resources or services of that machine. 
The following chart breaks down our 37 exploit types by category and platform:
Solaris (BSM) SunOS Linux
User=>Root Eject
Ffbconfig
Fdformat
Ps
Loadmodule Perl
Xterm
Remote=>Local Dictionary
Ftp-write
Guest
Phf
Xlock
Xsnoop
Dictionary
Ftp-write
Guest
Phf
Xlock
Xsnoop
Dictionary
Ftp-write
Guest
Phf
Xlock
Xsnoop
Named
Sendmail
Imap
Denail Of Service Apache2
Back
Mailbomb
Neptune (syn flood)
Ping Of Death
Process Table
Smurf
Syslogd
UDP Storm
Apache2
Back
Mailbomb
Neptune (syn flood)
Ping Of Death
Process Table
Smurf
Land
UDP Storm
Apache2
Back
Mailbomb
Neptune (syn flood)
Ping Of Death
Process Table
Smurf
Teardrop
UDP Storm
Surveillance/Probing IP Sweep
Mscan
Nmap
Portsweep
Saint
Satan
IP Sweep
Mscan
Nmap
Portsweep
Saint
Satan
IP Sweep
Mscan
Nmap
Portsweep
Saint
Satan

Description of Attacks

Apache2 Denial of service attacks against an apache web server where a client sends a request with many MIME headers. These requests will cause the server to slow down, and may eventually crash it.
Back Denial of service attack against apache web server where a client requests a URL containing many backslashes. As the server tries to process these requests it will slow down and be unable to process other requests. 
Dictionary Guess passwords for a valid user using simple variants of the account name. Dictionary guessing can be done over many services-most common are telnet, ftp, pop, or imap. 
Eject (SunOS 5.5.1,5.5,5.4,5.3) Removable media devices that do not have an eject button or removable media devices that are managed by Volume Management use the eject program. Due to insufficient bounds checking on arguments in the volume management library, libvolmgt.so.1, it is possible to overwrite the internal stack space of the eject program. If exploited, this vulnerability can be used to gain root access on the target system. 
Ffbconfig (SunOS 5.5,5.5.1) The ffbconfig program configures the Creator Fast Frame Buffer (FFB) Graphics Accelerator, which is part of the FFB Configuration Software Package, SUNWffbcf. This software is used when the FFB Graphics accelerator card is installed. Due to insufficient bounds checking on arguments, it is possible to overwrite the internal stack space of the ffbconfig program. If exploited, this vulnerability can be used to gain root access on the target system. 
Fdformat (SunOS 5.5.1,5.5,5.4,5.3) The fdformat program formats diskettes and PCMCIA memory cards. The program also uses the same volume management library, libvolmgt.so.1, and is exposed to the same vulnerability as the eject program. 
Ftp-write The anonymous FTP root directory (~ftp) and its subdirectories should not be owned by the ftp account or be in the same group as the ftp account. This is a common configuration problem. If any of these directories are owned by ftp or are in the same group as the ftp account and are not write protected, an intruder will be able to add files (such as a .rhosts file) and eventually gain access to the system. 
Guest Try to guess password for guest account. Guest accounts are often left open or with simple passwords on badly configured systems. 
Httptunnel Multiple session scenario in which an attacker installs a client on the victim machine which wakes up at predefined times to talk to a server controlled by the attacker. All communication is performed in such a way as to make the transactions look like a normal user browsing web pages. 
Imap (UW IMAP prior to 10.165, multiple platforms) The Imap server must be run with root privileges so it can access mail folders and undertake some file manipulation on behalf of the user logging in. After login, these privileges are discarded. However, a vulnerability exists in the way the login transaction is handled, and this can be exploited to gain privileged access on the server. By preparing carefully crafted text to a system running a vulnerable version of the Imap server, remote users can cause a buffer overflow and execute arbitrary instructions with root privileges. 
Ipsweep Surveillance sweep on a network to determine what machines are on a network, as well as what services these machines are running. 
Land Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). Land is a widely available attack tool that exploits this vulnerability. 
Loadmodule (SunOS 4.1.x) The loadmodule program is used by the xnews window system server to load two dynamically loadable kernel drivers into the currently running system and to create special devices in the /dev directory to use those modules. Because of the way the loadmodule program sanitizes its environment, unauthorized users can gain root access on the local machine. A script is publicly available and has been used to exploit this vulnerability. 
Mailbomb Simple attack where an attacker floods a user's mailbox with messages. 
Mscan An IP and port scanner which looks for a variety of security weaknesses. 
Multihop Multi-day scenario in which a user first breaks into one machine, and then uses the compromised machine as a stepping stone for different attacks on other machines. Uses several different exploit methods to gain access. 
Named BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges. 
Neptune For each half-open connection made to a machine the tcpd server adds a record to a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. 
Nmap Network mapping using the nmap tool. Mode of exploring network will vary--options include SYN,FIN and ACK scanning with both TCP and UDP, as well as ICMP (Ping) Scanning. 
Perl On systems that support saved set-user-ID and set-group-ID, suidperl does not properly relinquish its root privileges when changing its effective user and group IDs. On a system that has the suidperl or sperl program installed and that supports saved set-user-ID and saved set-group-ID, anyone with access to an account on the system can gain root access. 
Phf Any CGI program which relies on the CGI function escape_shell_cmd() to prevent exploitation of shell-based library calls may be vulnerable to attack. In particular, this includes the "phf" program which is distributed with the example code. The phf program allows remote users to run arbitrary commands on the server. 
Pod Some systems will react in an unpredictable fashion when receiving oversized IP packets. Possible reactions include crashing, freezing, and rebooting. 
Portsweep Surveillance sweep through many ports to determine which services are supported on a single host. Portsweeps can be made partially stealthy by not finishing the 3-way handshake that opens a port (ie. FIN scanning). 
Processtable Fills up the process table of a victim machine by slowly opening many sessions and letting them hang. Once the process table is full the victim will not be able to launch any additional processes. 
Ps (SunOS 5.x) A race condition in the ps program can be exploited to gain root access if the user has access to the temporary files. Access to temporary files may be obtained if the permissions on the /tmp and /var/tmp directories are set incorrectly. Any users logged in to the system may gain unauthorized root privileges by exploiting this race condition. 
Rootkit Rootkit is a scenerio in which an attacker breaks into and then installs a rootkit on a target machine. A rootkit is a collection of programs that are intended to help a hacker maintain access to a machine once it has been compromised. A typical rootkit consists of a sniffer, versions of login, su, or other programs with backdoors which allow for access, and new versions of ps, netstat, and ls which hide the fact that a sniffer is running and hide files in certain directories. Once the rootkit has been installed, the attacker may come back several times to download the sniffer logs. 
Saint A network probing tool modeled after Satan. It performs IP and port scans looking for well known vulnerabilities. 
Satan Network probing tool which looks for well known security vulnerabilities. 
Sendmail With the release of sendmail version 8.8.3, a serious security vulnerability was introduced. By sending a carefully crafted email message to a system running a vulnerable version of sendmail, a remote intruder can force sendmail to execute arbitrary commands with root privileges. 
Smurf In the "smurf" attack, attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim). 
Snmpgetattack A scenerio in which an attacker guesses the SNMP community password and the remotely monitors router activity. The SNMP password is set to "public" by default, and is often never changed from this default value. 
Sqlattack Gain access to a shell on a remote system by escaping out of Postgres SQL. Once attackers have access to a shell they may execute other exploits to further elevate their privileges. 
Syslog When Solaris syslogd receives an external message it attempts to do a DNS lookup on the source IP. If this IP doesn't match a valid DNS record then syslogd will crash with a Segmentation Fault. 
Teardrop Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. 
Udpstorm When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed. For example, by connecting a host's chargen service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessive number of packets produced. 
Warez A multisession scenerio in which the Warezmaster puts a file on an anonymous ftp site with a world-writeable directory (such as an "incoming" directory) and Warezclients then retrieve the file. 
Worm Attacker releases a self-replicating program which gains access to machines by using a priori knowledge of valid usernames and passwords. 
Xlock An attacker can send a trojan version of xlock to an open X server, hoping to convince the user to type in their password (which will then be returned to the attacker). 
Xsnoop Monitor keystrokes on the X server of a user who left their X display open (as would happen after typing xhost +), hoping to see the user type in a username and password. 
Xterm Problems exist in both the xterm program and the Xaw library that allow user supplied data to cause buffer overflows in both the xterm program and any program that uses the Xaw library. These buffer overflows are associated with the processing of data related to the inputMethod and preeditType resources (for both xterm and Xaw) and the *Keymap resources (for xterm). Exploiting these buffer overflows with xterm when it is installed setuid-root or with any setuid-root program that uses the Xaw library can allow an unprivileged user to gain root access to the system. 

Attack Attributes

Stealthiness

In addition to varying the methods and intentions of our simulated attackers, we also varied the extent to which an attacker tried to hide their actions from either an individual who is monitoring the system, or an Intrusion Detection System (IDS). There are several ways that an attacker can reduce their chances of being detected by the administrator of a network. A skilled attacker might try to cover their tracks by editing system logs or resetting the modification date on a file that they replaced or modified. These actions are generally intended to reduce the chance of detection by a human administrator. An attacker may also be aware that an Intrusion Detection System is monitoring a network, and may try to hide from the IDS as well. Methods for being stealthy vary depending on the type of attack.

Denial of Service
Usually Denial of Service attacks cannot be made stealthy. One possible method of trying to hide your actions is to gain the cooperation of a large group and break up the attack so pieces of it are coming from several different sources.

Probe
Several methods have been identified for either hiding the fact that a probe is occurring, or hiding the identity of the party who is doing the scanning. If we want to hide that fact that a probe is occurring our simplest option is to let the probe occur slowly and make sure that it does not perform a linear sweep but that its behavior is more erratic. An intrusion detection system is going to have a very hard time identifying one stray connection per hour to some random port as a port sweep. Another method of scanning stealthily is to probe with half-open connections. A connection for which the three-way TCP handshake is never completed will not be logged by the operating system. There are several tools available which will do half-open or FIN scanning of a network.

One way of hiding your identity is to use a so-called FTP bounce probe. Some FTP servers will allow anyone to tell them to send data to a particular port on a particular machine. A hacker can look at the response the FTP server gives from such a request and ascertain whether that port is listening on the victim machine. The portscan will appear to be coming from an anonymous FTP server, and this simple step may be enough to assure that the party who is really doing the scanning is never identified.

User=>Root
Some IDS's that attempt to detect illegal User=>Root transitions rely on keyword spotting to detect intruders. For example, if the system sees the text of the C file for the publicly available Eject exploit come across a telnet or rlogin session it may flag this session as being suspicious. By uuencoding or Mime encoding the text of the code before sending it over the network connection, an attacker would avoid detection by such a system. It is also possible to identify attacks by looking that the output that is displayed on the terminal when the exploit is run. An attacker can avoid detection by this mechanism by sending all the output of the commands he runs to a file and encoding the file before displaying or transferring it.

A system might also look for an attacker to run some command which only root should be able to run, such as displaying the contents of the shadow password file. If an attacker wishes to hide from someone who is looking for certain suspicious commands or actions, he can obfuscate the invocation of these commands by using glob constructs and character replacement. Instead of typing the command "/bin/cat /etc/passwd", the attacker can issue the command "/[r,s,t,b]?[l,w,n,m]/[c,d]?t /?t[c,d,e]/*a?s*". When the shell tries to interpret this input string it will do replacement of the glob characters and find that the only valid match for this string is "/bin/cat /etc/passwd".

Finally, we might be able to avoid detection (or at least reduce the chances of identification), by separating the time of exploit from the initial time of access. This can be accomplished by submitting a job to the "at" or "cron" daemon which will run the attack at some later time. It would be possible for an attacker to log in as a normal user (which would not be noticed by an IDS) and submit a shell script to the "at" daemon which would execute any actions that the attacker desired three weeks (or six months, or five years!) after the attacker initially logged into the system. In the extreme case, an attacker could package up the whole session into one shell script which would:

  1. unzip binary code for an exploit
  2. run the exploit
  3. perform some actions while piping their output into a file
  4. and encode the file and send the encoded output of the session to the attacker
This script could be executed at any point in the future, not just at the time of initial access to the system. Such a session would look quite innocuous to a network-based intrusion detection system. In the test data, 50% of the User=>Root attacks were done in the clear with no actions, 25% were done in the clear with actions, and 25% were done stealthily with stealthy actions.

Remote=>Local
Many Remote=>Local attacks have a unique signature that is hard to alter. In a dictionary-based password guessing attack the user simply must connect to a service many times and try different passwords. If an attacker wants to gain access to a machine by remotely overflowing the IMAP service they have to transmit the code that overflows the buffer across the network in the clear. For this reason we have fewer options for making Remote=>Local attacks stealthy than we did with the User=>Root attacks. However, once we have gained access and are interacting with a shell, all the same methods that were outlined in the User=>Root case can be used to hide the actions of an attacker who has gained access by using a Remote=>Local exploit.

Hand-Run vs. Scripted

Most of the attacks in our simulation were run automatically from a pre-generated script. We used a combination of Perl, Expect and EXS type scripting to perform the automation of the attacks. Performing each attack by hand would have been a formidable task, and would have had the additional disadvantage that hand scripted attacks require human effort each time they are run, whereas automated scripts take longer to develop but can be run many times without additional effort. Also, once a database of automated scripts was created, generating variations of these attacks was easy. About 10% of our attacks were run by hand (ie. By an individual sitting at a computer and playing the role of an attacker). There were several reasons why we ran attacks by hand:
  1. Many scenario scripts were complicated and only needed to be run once or twice.
  2. Some attacks require interaction between the attacker and a legitimate user of the system (such as the xlock attack where an attacker sends a fake version of xlock at an open X server, hoping that the user will type in their password)
  3. Some attacks were done by hand to create a more robust simulation of the interaction between a hacker and a system then was possible in an automated script.

Actions

Many of the attacks included within the data perform some set of actions which may not be directly related to the task of either gaining access or denying service. In some cases these actions are performed as part of a scenario where an attacker has a specific goal in mind. But, in many cases we added a few actions that an attacker would perform after gaining access even for the attacks that were not part of a scenario. We chose these actions from a set which we identified by looking at transcripts of actual intrusions, and by thinking about the goals and motivations a hacker might have. The following are descriptions of some of the actions that were performed during our simulation:
id An attacker would use "id" to check whether an exploit had gotten them root access 
cat /etc/password, cat /etc/shadow Once the attacker has collected the contents of the password file he can then try to crack passwords after he has disconnected. 
netstat An attacker might be interested in what network services a host offers. 
mount, showmount Usually an attacker would run these commands to look for NFS mounted drives that might give them access to another machine or additional data. 
cat /etc/hosts.equiv This is the list of trusted machines. By adding his own machine to this list of trusted hosts an attacker can assure himself later access. 
Creation of a suid root shell By making a copy of /bin/sh or some other shell and setting its permissions so the file is suid root the attacker can guarantee that they will later be able to get root access as long as they can get normal user access to the machine. 
w, who An attacker who is trying to avoid detection will be very concerned with who else is on the system. 
cat /var/log/syslog (or other logfiles) An attacker who wants to remain undetected will check logfiles and cleanup any evidence of a breakin that was left in these files. 
Editing .rhosts The .rhosts file is similar to /etc/hosts.equiv in that it specifies trusted hosts. If an attacker can add the string "+ +" to /root/.rhosts the system will allow anyone to perform remote commands (rsh, rlogin, rcp, etc.) as root on that system. 
uname The uname command will give an attacker information about the hardware and operating system of the host they are logged in to. 
Starting up new services An attacker may start a new listening port for later access to the machine. They may start up the tftp service which will later allow them to read any world-readable file on the system without authenticating themselves. They may bind a second listening telnet daemon to some port other than 23 to get around a firewall. Or, an attacker may set up netcat to listen on a port and give them a shell, or provide them with some piece of information whenever someone connects to that port and supply's the "magic word". The options for this type of action are boundless. For some examples look at the netcat README available at http://l(pht.com/~weld/netcat/readme.html. 

Attack Schedule

The following table list all the attacks in the two weeks of test data. See the key at the end of the table for the meaning of each column.
Week Day Time AID Comp Attack Name Worked? Run By Stealth Source Machine Dest Machine Where
1 Mon 09:19:37 1 s multihop almost script clear 206.229.221.82 marx tcp
1 Mon 10:51:21 2 * portsweep yes script clear 207.136.86.223 marx tcp
1 Mon 14:49:52 3 * pod yes script clear 207.103.80.104 marx tcp
1 Mon 16:08:16 4 * teardrop yes script clear 123.123.123.123 zeno tcp
1 Mon 16:46:28 5 * syslog yes script clear 1.1.1.1 pascal tcp
1 Mon 17:12:52 6 s ps almost script clear 209.154.98.104 pascal tcp,bsm
1 Mon 17:12:52 6 b ps almost script clear 209.154.98.104 pascal tcp,bsm
1 Tues 08:31:46 7 * satan yes script clear 153.107.252.61 marx tcp
1 Tues 09:11:57 8 * format yes script stealthy 209.74.60.168 pascal tcp,bsm
1 Tues 10:11:30 9 * apache2 yes script clear 207.181.92.211 marx tcp
1 Tues 10:56:55 10 * worm partial script clear 194.27.251.21 eagle tcp
1 Tues 15:44:55 11 * format yes script clear 194.27.251.21 pascal tcp,bsm
1 Tues 17:25:00 12 * sqlattack yes script clear 135.13.216.191 falcon tcp
1 Tues 18:15:57 13 * neptune yes script clear 166.102.114.43 zeno tcp
1 Tues 19:43:50 14 * smurf yes script clear 100subs marx tcp
1 Wed 08:15:13 15 s multihop yes human clear 206.229.221.82 marx tcp
1 Wed 09:32:05 16 s httptunnel yes human clear 197.182.91.233 pascal tcp,bsm
1 Wed 10:34:10 17 * nmap yes human stealthy 207.253.84.13 linux2 tcp
1 Wed 15:21:15 18 e sendmail almost script clear 208.254.251.132 marx tcp
1 Wed 15:21:15 18 b sendmail almost script clear 208.254.251.132 marx tcp
1 Wed 16:30:05 19 * teardrop yes script clear 123.123.123.123 zeno tcp
1 Wed 19:19:00 20 * xterm normal script clear 197.182.91.233 linux1 tcp
1 Wed 20:07:38 21 * smurf yes script clear 199.174.194 marx tcp
1 Wed 21:52:01 22 * eject yes script stealthy 153.10.8.174 pascal tcp,bsm
1 Thurs 09:00:08 23 * snmpguess almost script clear 207.230.054.203 loud tcp
1 Thurs 09:08:22 24 * perlmagic almost script clear 166.102.114.43 marx tcp
1 Thurs 10:16:10 25 * pod yes script clear 152.204.242.193 * tcp
1 Thurs 10:23:19 26 * nmap yes human stealthy 207.253.84.13 linux2 tcp
1 Thurs 10:33:08 27 e named yes human clear 152.169.215.104 linux tcp
1 Thurs 10:33:08 27 b named yes human clear 152.169.215.104 linux tcp
1 Thurs 10:33:08 27 a named yes human clear 152.169.215.104 linux tcp
1 Thurs 14:32:32 28 * eject yes script stealthy 194.7.248.153 pascal tcp,bsm
1 Thurs 14:45:13 29 * land yes script clear zeno zeno tcp
1 Thurs 15:10:48 30 * smurf yes script clear 10subs linux3 tcp
1 Thurs 18:26:01 31 * satan normal script clear 135.13.216.191 zeno tcp
1 Thurs 22:23:17 32 * snmpgetattack almost script clear 208.239.005.230 loud tcp
1 Fri 08:03:06 33 * snmpgetattack yes script clear 207.230.54.203 loud tcp
1 Fri 09:27:09 34 * teardrop yes script clear 194.7.248.153 marx tcp
1 Fri 10:06:37 35 * format yes script stealthy 194.7.248.153 pascal tcp,bsm
1 Fri 12:41:54 36 * back yes script clear 204.97.153.43 marx tcp
1 Fri 14:41:28 37 * neptune yes script clear 9.9.9.9 pascal tcp
1 Fri 19:20:35 38 * processtable yes script clear calvin pascal tcp,bsm
1 Fri 19:50:59 39 * neptune yes script clear 10.20.30.40 pascal tcp
2 Mon 08:03:07 40 * snmpgetattack yes script clear 207.230.54.203 loud tcp
2 Mon 08:55:02 41 b named yes human clear calvin marx tcp
2 Mon 08:55:02 41 a named yes human clear calvin marx tcp
2 Mon 09:11:04 42 b xlock yes human clear 194.7.248.153 marx tcp
2 Mon 09:11:04 42 a xlock yes human clear 194.7.248.153 marx tcp
2 Mon 09:27:27 43 b xlock yes human clear 194.7.248.153 pascal tcp
2 Mon 09:27:27 43 a xlock yes human clear 194.7.248.153 pascal tcp,bsm
2 Mon 09:30:41 44 * smurf yes script clear 10subs pascal tcp
2 Mon 09:36:10 45-1 e multihop yes human clear 206.229.221.82 marx tcp
2 Mon 09:36:10 45-1 b multihop yes human clear 206.229.221.82 marx tcp
2 Mon 09:36:10 45-2 s multihop yes human clear 206.229.221.82 marx tcp
2 Mon 09:36:07 46 * ipsweep yes script clear 204.97.153.43 * tcp
2 Mon 09:38:58 47 b xsnoop yes human clear 194.27.251.21 pascal tcp
2 Mon 09:38:58 47 a xsnoop yes human clear 194.27.251.21 pascal tcp
2 Mon 09:54:39 48 e named yes human clear 204.97.153.43 linux1 tcp
2 Mon 09:54:39 48 b named yes human clear 204.97.153.43 linux1 tcp
2 Mon 09:54:39 48 a named yes human clear 204.97.153.43 linux1 tcp
2 Mon 10:34:11 49 * smurf yes script clear all.attackers marx tcp
2 Mon 10:43:55 50 b sendmail almost script clear 207.230.54.203 marx tcp
2 Mon 10:43:55 50 e sendmail almost script clear 207.230.54.203 marx tcp
2 Mon 10:43:55 50 a sendmail almost script clear 207.230.54.203 marx tcp
2 Mon 10:58:11 52 * dict normal human clear 205.160.208.190 pascal tcp,
2 Mon 11:01:23 53 * saint yes human clear calvin pascal tcp,bsm
2 Mon 11:15:16 54 * eject yes human stealthy 197.218.177.69 pascal tcp,bsm
2 Mon 14:01:26 55 * portsweep yes script clear 202.247.224.89 pascal tcp
2 Mon 15:21:20 56 b sendmail almost script clear 208.254.251.132 marx tcp
2 Mon 15:21:20 56 e sendmail almost script clear 208.254.251.132 marx tcp
2 Mon 15:21:20 56 a sendmail almost script clear 208.254.251.132 marx tcp
2 Mon 16:11:36 57 * pod yes script clear 207.103.80.104 pascal tcp
2 Mon 18:20:01 51 * pod partial script clear 206.222.3.197 * tcp
2 Mon 18:22:34 58 * apache2 yes script clear 196.227.33.189 marx tcp
2 Mon 19:18:07 59 * xterm normal script clear 197.182.91.233 linux1 tcp
2 Mon 20:46:48 60 * format yes script clear 195.73.151.50 pascal tcp,bsm
2 Mon 20:58:00 61 * phf normal script clear 208.254.251.132 marx tcp
2 Mon 21:06:52 62 * udpstorm yes script clear 172.16.112.50 zeno tcp
2 Mon 23:10:31 63 * format yes script clear 202.49.244.10 pascal tcp,bsm
2 Mon 23:16:43 64 * smurf yes script clear 152.169.215,202.77.162 marx tcp
2 Mon 23:26:37 65 * smurf yes script ttl 255.255.255.255.et.al pascal tcp
2 Tues 08:08:29 66-1 * warezmaster yes script clear 200.27.121.118 pascal tcp,bsm
2 Tues 08:27:28 68 * portsweep yes script clear 135.8.60.182 marx tcp
2 Tues 09:00:19 69 a multihop yes script clear 206.229.221.82 marx tcp
2 Tues 09:08:32 70 * perlmagic yes script clear 166.102.114.43 marx tcp
2 Tues 09:09:03 71 b xsnoop yes human clear 200.27.121.118 pascal tcp
2 Tues 09:09:03 71 a xsnoop yes human clear 200.27.121.118 pascal tcp,bsm
2 Tues 10:33:08 72 * pod yes script clear 209.30.70.14 linux1 tcp
2 Tues 11:20:57 73 * guest almost script clear 195.73.151.50 pascal tcp
2 Tues 11:23:37 74 * dict yes script clear 208.239.5.230 marx tcp
2 Tues 11:55:17 75-1 s format yes script stealthy 209.30.71.165 pascal tcp,bsm
2 Tues 11:55:17 75-3 b format yes script stealthy 209.30.71.165 pascal tcp,bsm
2 Tues 12:14:12 76 e sendmail yes script clear 204.97.153.43 marx tcp
2 Tues 12:14:12 76 b sendmail yes script clear 204.97.153.43 marx tcp
2 Tues 12:14:12 76 a sendmail yes script clear 204.97.153.43 marx tcp
2 Tues 13:20:35 77 * eject yes script clear 195.115.218.108 pascal tcp,bsm
2 Tues 15:17:26 78 * satan yes script clear 208.253.77.185 zeno tcp
2 Tues 17:33:53 79 * xterm almost script stealthy 194.27.251.21 linux1 tcp
2 Tues 17:36:25 80 * mscan yes script clear 207.75.239.115 * tcp,bsm
2 Tues 18:04:07 81 * processtable yes script clear calvin pascal tcp,bsm
2 Tues 19:19:27 82 * xterm almost script clear 197.182.91.233 linux1 tcp
2 Tues 21:03:36 83 * smurf yes script ttl 209.1.12.* linux2 tcp
2 Wed 08:03:06 84 * snmpgetattack yes script clear 207.230.54.203 loud tcp
2 Wed 08:15:06 66-3 * warezclient yes script clear all.attackers pascal tcp,bsm
2 Wed 09:39:29 86 * xterm almost human clear 209.167.99.71 linux1 tcp
2 Wed 10:06:44 87 e ps yes human clear 209.154.98.104 pascal tcp,bsm
2 Wed 10:06:44 87 s ps yes human clear 209.154.98.104 pascal tcp
2 Wed 10:06:44 87 b ps yes human clear 209.154.98.104 pascal tcp,bsm
2 Wed 10:16:15 88 * nmap yes human stealthy 207.253.84.13 linux2 tcp
2 Wed 10:24:39 89 * dict yes script stealthy 152.169.215.104 marx tcp
2 Wed 10:26:12 90 b xterm yes human clear 194.27.251.21 linux1 tcp
2 Wed 10:26:12 90 s xterm yes human clear 194.27.251.21 linux1 tcp
2 Wed 10:33:27 91 b rootkit yes human clear 153.10.8.174 marx tcp
2 Wed 10:33:27 91 a rootkit yes human clear 153.10.8.174 marx tcp
2 Wed 10:52:58 92 * xterm yes human clear 197.182.91.233 linux1 tcp
2 Wed 11:11:28 93 * neptune yes script ttl 10.140.175.080 zeno tcp
2 Wed 12:40:23 94 * udpstorm yes script clear pascal zeno tcp
2 Wed 13:32:38 95 * loadmodule yes script clear 205.180.112.36 zeno tcp
2 Wed 13:46:54 96 * syslog yes script clear 194.7.248.153 pascal tcp
2 Wed 14:10:49 97 b xlock almost human clear 197.218.177.69 pascal tcp
2 Wed 14:10:49 97 a xlock almost human clear 197.218.177.69 pascal tcp,bsm
2 Wed 14:12:44 98 * xterm almost script stealthy 135.13.216.191 linux1 tcp
2 Wed 14:36:15 99 * imap yes human clear calvin marx tcp
2 Wed 14:40:57 100 * xlock almost human clear 197.218.177.69 pascal tcp
2 Wed 15:46:55 101 * back yes script clear 209.117.157.183 marx tcp
2 Wed 19:26:57 102 s ps yes script clear 197.218.177.69 pascal tcp
2 Wed 19:26:57 102 b ps yes script clear 197.218.177.69 pascal tcp,bsm
2 Wed 20:07:16 103 * ipsweep yes script clear 194.7.248.153 * tcp
2 Wed 20:59:25 104 * ffb yes script clear 208.239.5.230 pascal tcp,bsm
2 Thurs 08:03:06 105 * snmpgetattack yes script clear 207.230.54.203 loud tcp
2 Thurs 08:15:05 66-4 * warezclient yes script clear all.attackers pascal tcp,bsm
2 Thurs 08:29:54 107 * dict almost human clear calvin marx tcp
2 Thurs 09:00:09 108 a multihop yes script clear 206.229.221.82 pascal tcp
2 Thurs 09:15:00 147 s eject yes human at 135.008.060.182 pascal tcp,bsm
2 Thurs 09:36:05 109 * portsweep yes script stealthy 195.73.151.50 pascal tcp
2 Thurs 09:41:52 110 * nmap yes human stealthy 207.253.84.13 linux2 tcp
2 Thurs 10:44:06 106 b sendmail yes script clear 207.230.54.203 marx tcp
2 Thurs 10:44:06 106 e sendmail yes script clear 207.230.54.203 marx tcp
2 Thurs 10:44:06 106 a sendmail yes script clear 207.230.54.203 marx tcp
2 Thurs 11:37:27 111 * loadmodule yes script clear 135.13.216.191 zeno tcp
2 Thurs 11:59:43 112 * eject yes human clear 197.182.91.233 pascal tcp,bsm
2 Thurs 12:30:03 113-1 e httptunnel yes human clear pascal calvin tcp
2 Thurs 12:30:03 113-1 a httptunnel yes human clear pascal calvin tcp
2 Thurs 13:30:49 114 * neptune yes script clear 209.74.60.168 zeno tcp
2 Thurs 13:42:55 115 * eject yes human clear 197.182.91.233 pascal tcp,bsm
2 Thurs 14:36:02 116 * worm partial script clear 194.27.251.21 eagle tcp
2 Thurs 17:56:34 117 * processtable yes script clear calvin pascal tcp,bsm
2 Thurs 19:33:05 118 * satan normal script clear 202.72.1.77 zeno tcp
2 Thurs 20:15:14 119 * neptune yes script clear 135.13.216.191 pascal tcp
2 Thurs 21:13:12 120 * format yes script stealthy 206.186.80.111 pascal tcp,bsm
2 Thurs 21:14:46 121 * mailbomb yes script clear 204.233.47.21 pascal tcp,bsm
2 Thurs 23:26:16 122 * portsweep yes script stealthy 128.223.199.68 zeno tcp
2 Thurs 02:02:57 123 * xterm almost script stealthy 209.154.98.104 linux1 tcp
2 Thurs 02:09:29 124 * dict almost script stealthy 152.169.215.104.et.al marx tcp
2 Fri 08:04:11 125 * snmpgetattack yes script clear 207.230.54.203 loud tcp
2 Fri 08:16:11 66-5 * warezclient yes script clear all.attackers pascal tcp,bsm
2 Fri 08:43:22 127 e xterm yes human clear calvin,209.167.99.71 linux1 tcp
2 Fri 08:43:22 127 b xterm yes human clear calvin,209.167.99.71 linux1 tcp
2 Fri 08:43:22 127 s xterm yes human clear calvin,209.167.99.71 linux1 tcp
2 Fri 08:49:26 128 b ftp-write yes human clear 194.27.251.21 pascal tcp,bsm
2 Fri 08:49:26 128 a ftp-write yes human clear 194.27.251.21 pascal tcp,bsm
2 Fri 08:53:05 129 b ps yes human clear 207.136.86.223 pascal tcp,bsm
2 Fri 08:53:05 129 s ps yes human clear 207.136.86.223 pascal tcp,bsm
2 Fri 09:01:08 113-3 e httptunnel yes human stealthy pascal mars tcp
2 Fri 09:01:08 113-3 a httptunnel yes human stealthy pascal mars tcp
2 Fri 09:03:57 130 b rootkit yes human clear 135.8.60.182 pascal tcp,bsm
2 Fri 09:03:57 130 s rootkit yes human clear 135.8.60.182 pascal tcp,bsm
2 Fri 09:03:57 130 a rootkit yes human clear 135.8.60.182 pascal tcp,bsm
2 Fri 09:33:40 132 * teardrop yes script clear 222.222.222.222 marx tcp
2 Fri 09:33:41 133 * dict almost human stealthy 172.16.112.149 mars tcp
2 Fri 10:20:15 134 * saint yes human clear 197.218.177.69 * tcp,bsm
2 Fri 10:30:11 135 * neptune yes human ttl 18.28.38.48 pascal tcp
2 Fri 12:27:21 136 s ps yes script clear 202.49.244.10 pascal tcp,bsm
2 Fri 12:27:21 136 b ps yes script clear 202.49.244.10 pascal tcp,bsm
2 Fri 12:48:24 137 * eject yes human stealthy 153.107.252.61 pascal tcp,bsm
2 Fri 13:27:39 138 * land yes script clear eyrie * tcp
2 Fri 14:11:41 139 * sqlattack yes script clear 153.10.8.174 falcon tcp
2 Fri 14:41:11 140 * dict almost human clear 172.16.113.105 mars tcp
2 Fri 16:22:02 141 b sendmail yes script clear 194.7.248.153 marx tcp
2 Fri 16:22:02 141 e sendmail yes script clear 194.7.248.153 marx tcp
2 Fri 16:22:02 141 a sendmail yes script clear 194.7.248.153 marx tcp
2 Fri 16:46:15 142 * ipsweep yes script clear 135.13.216.191 * tcp
2 Fri 17:48:37 143 * satan normal script clear 207.114.237.57 zeno tcp
2 Fri 18:16:42 144 * pod yes script clear 196.227.33.189 linux1 tcp
2 Fri 20:18:38 145 * phf yes script clear 197.182.91.233 marx tcp
2 Fri 21:04:50 146 * apache2 yes script clear 202.72.1.77 marx tcp

Key

Week The week (1 or 2) of the test data this attack ran on. 
Day The day this attack ran on. 
Time The time this attack ran. 
AID The ID for this attack. Every attack gets a unique ID number. If an attack is responsible for multiple connections, each connection will have the same ID number. Multi-session attacks have a sequence number appended to their attack ID number in the form [AID]-[sequence number]. These sequence numbers are only used for attacks in which the connections are at significantly times.
Comp For attacks which generate multiple connections, each connection is labeled with the attack components it contains. The possible labels are: 
Setup(s) Actions, such as transferring files or compiling the exploit, which prepare for the actual breakin. 
Breakin(b) The point in which the intruder gains a higher level of permissions than he should normally be allowed. 
Actions(a) The actions taken by the intruder after breaking in. 
Extraneous(e) Spurious connections not directly related to any of the other phases of the attack. 
 
Attack Name The name of the attack. Clicking on an attack name will take you to the description of that attack. 
Worked To what degree the attack succeeded. Possible values are: 
yes The attack achieved its objective (getting root privileges, probing a machine, etc). 
almost The attack generated suspicious looking activity but did not succeed. 
partial The attack generated somewhat suspicious activity but did not succeed. 
normal The attack only generated normal traffic and never did anything suspicious. 
 
Run By Whether the attack was run by an automated script or by hand. 
Stealth Whether the attack was done in the clear or some effort was made to conceal it. 
Source Machine The source IP address(es) of the attack. This in not necessarily the true machine the attack came from if the packets were forged.
Dest Machine The IP address of the machine the attacker connected to. A '*' indicates that the attack connected to multiple machines.
Where The data (bsm or tcpdump) which should contain evidence of the attack.