Ridgeback Finds a Threat

//Ridgeback Finds a Threat

Ridgeback Finds a Threat

Ridgeback Hunter runs on a variety of platforms, including laptops. I almost always run Ridgeback on my laptop whenever I connect to a network. This gives me a high-level perspective of how the network is operating and alerts me to any threats lurking on the network. The networks I connect to are often relatively safe, but this weekend Ridgeback caught something. To show what one kind of report looks like, I am posting the report from what Ridgeback saw this weekend. I have masked out the MAC addresses for privacy.
What is really awesome about this incident is that no one had to install Ridgeback. It was already running on my laptop and Ridgeback automatically did its thing as soon as I connected to the network. There was no tuning and no reconfiguration of any existing infrastructure. Active defense makes blue team work incredibly easy.

This sample report shows two important things. First, the threat was doing reconnaissance from the *.156 IP address using an ARP scan. Second, The machine on the *.156 IP address went trying to get into TCP port 7 for select hosts.  Things that run on TCP port 7 include:

  • Echo Service – UDP packets to port 7 are sometimes used in a denial-of-service (DoS) attack
  • Internet Caching Protocol (ICP) – used by HTTP proxies
  • ACT P202S IP phone – this phone has known vulnerabilities (CVE-2006-0375CVE-2006-0374)
Some of the report is listed below to show the forensics / evidence side of Ridgeback.

​## ARP Activity

1465052166 | 2016-06-04 10:56:06 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.006 THA 000000000000
1465052166 | 2016-06-04 10:56:06 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.007 THA 000000000000
1465052167 | 2016-06-04 10:56:07 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.005 THA 000000000000
1465052167 | 2016-06-04 10:56:07 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.011 THA 000000000000
1465052167 | 2016-06-04 10:56:07 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.013 THA 000000000000
1465052167 | 2016-06-04 10:56:07 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.010 THA 000000000000
1465052167 | 2016-06-04 10:56:07 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.014 THA 000000000000
1465052168 | 2016-06-04 10:56:08 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.005 THA 000000000000
1465052168 | 2016-06-04 10:56:08 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.011 THA 000000000000
1465052168 | 2016-06-04 10:56:08 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.015 THA 000000000000
1465052169 | 2016-06-04 10:56:09 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.011 THA 000000000000
1465052169 | 2016-06-04 10:56:09 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.015 THA 000000000000
1465052169 | 2016-06-04 10:56:09 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.019 THA 000000000000
1465052170 | 2016-06-04 10:56:10 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.015 THA 000000000000
1465052170 | 2016-06-04 10:56:10 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.019 THA 000000000000
1465052170 | 2016-06-04 10:56:10 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.023 THA 000000000000
1465052172 | 2016-06-04 10:56:12 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.023 THA 000000000000
1465052172 | 2016-06-04 10:56:12 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.031 THA 000000000000
1465052172 | 2016-06-04 10:56:12 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.025 THA 000000000000
1465052172 | 2016-06-04 10:56:12 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.033 THA 000000000000
1465052172 | 2016-06-04 10:56:12 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.029 THA 000000000000
1465052173 | 2016-06-04 10:56:13 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.031 THA 000000000000
1465052173 | 2016-06-04 10:56:13 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.035 THA 000000000000
1465052173 | 2016-06-04 10:56:13 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.028 THA 000000000000
1465052173 | 2016-06-04 10:56:13 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.032 THA 000000000000
1465052173 | 2016-06-04 10:56:13 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.036 THA 000000000000
1465052174 | 2016-06-04 10:56:14 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.031 THA 000000000000
1465052174 | 2016-06-04 10:56:14 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.035 THA 000000000000
1465052174 | 2016-06-04 10:56:14 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.039 THA 000000000000
1465052175 | 2016-06-04 10:56:15 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.035 THA 000000000000
1465052175 | 2016-06-04 10:56:15 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.039 THA 000000000000
1465052175 | 2016-06-04 10:56:15 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.043 THA 000000000000
1465052176 | 2016-06-04 10:56:16 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.047 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.051 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.043 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.048 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.052 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.045 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.049 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.053 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.046 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.050 THA 000000000000
1465052177 | 2016-06-04 10:56:17 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.054 THA 000000000000
1465052178 | 2016-06-04 10:56:18 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.056 THA 000000000000
1465052178 | 2016-06-04 10:56:18 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.048 THA 000000000000
1465052178 | 2016-06-04 10:56:18 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.052 THA 000000000000
1465052179 | 2016-06-04 10:56:19 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.056 THA 000000000000
1465052179 | 2016-06-04 10:56:19 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.060 THA 000000000000
1465052179 | 2016-06-04 10:56:19 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.052 THA 000000000000
1465052180 | 2016-06-04 10:56:20 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.056 THA 000000000000
1465052180 | 2016-06-04 10:56:20 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.060 THA 000000000000
1465052180 | 2016-06-04 10:56:20 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.064 THA 000000000000
1465052181 | 2016-06-04 10:56:21 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.060 THA 000000000000
1465052181 | 2016-06-04 10:56:21 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.064 THA 000000000000
1465052182 | 2016-06-04 10:56:22 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.064 THA 000000000000
1465052182 | 2016-06-04 10:56:22 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.068 THA 000000000000
1465052182 | 2016-06-04 10:56:22 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.072 THA 000000000000
1465052183 | 2016-06-04 10:56:23 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.068 THA 000000000000
1465052183 | 2016-06-04 10:56:23 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.072 THA 000000000000
1465052183 | 2016-06-04 10:56:23 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.076 THA 000000000000
1465052184 | 2016-06-04 10:56:24 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.072 THA 000000000000
1465052184 | 2016-06-04 10:56:24 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.076 THA 000000000000
1465052184 | 2016-06-04 10:56:24 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.080 THA 000000000000
1465052185 | 2016-06-04 10:56:25 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.076 THA 000000000000
1465052185 | 2016-06-04 10:56:25 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.084 THA 000000000000
1465052185 | 2016-06-04 10:56:25 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.080 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.084 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.088 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.092 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.085 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.089 THA 000000000000
1465052187 | 2016-06-04 10:56:27 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.093 THA 000000000000
1465052188 | 2016-06-04 10:56:28 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.088 THA 000000000000
1465052188 | 2016-06-04 10:56:28 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.092 THA 000000000000
1465052189 | 2016-06-04 10:56:29 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.092 THA 000000000000
1465052189 | 2016-06-04 10:56:29 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.096 THA 000000000000
1465052190 | 2016-06-04 10:56:30 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.095 THA 000000000000
1465052190 | 2016-06-04 10:56:30 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.099 THA 000000000000
1465052190 | 2016-06-04 10:56:30 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.103 THA 000000000000
1465052190 | 2016-06-04 10:56:30 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.104 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.099 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.105 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.109 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.100 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.107 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.102 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.112 THA 000000000000
1465052191 | 2016-06-04 10:56:31 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.108 THA 000000000000
1465052192 | 2016-06-04 10:56:32 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.113 THA 000000000000
1465052192 | 2016-06-04 10:56:32 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.105 THA 000000000000
1465052192 | 2016-06-04 10:56:32 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.109 THA 000000000000
1465052192 | 2016-06-04 10:56:32 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.112 THA 000000000000
1465052192 | 2016-06-04 10:56:32 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.116 THA 000000000000
1465052193 | 2016-06-04 10:56:33 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.113 THA 000000000000
1465052193 | 2016-06-04 10:56:33 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.117 THA 000000000000
1465052193 | 2016-06-04 10:56:33 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.109 THA 000000000000
1465052194 | 2016-06-04 10:56:34 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.117 THA 000000000000
1465052194 | 2016-06-04 10:56:34 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.113 THA 000000000000
1465052194 | 2016-06-04 10:56:34 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.121 THA 000000000000
1465052195 | 2016-06-04 10:56:35 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.117 THA 000000000000
1465052195 | 2016-06-04 10:56:35 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.121 THA 000000000000
1465052195 | 2016-06-04 10:56:35 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.125 THA 000000000000
1465052196 | 2016-06-04 10:56:36 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.121 THA 000000000000
1465052196 | 2016-06-04 10:56:36 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.125 THA 000000000000
1465052196 | 2016-06-04 10:56:36 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.129 THA 000000000000
1465052197 | 2016-06-04 10:56:37 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.125 THA 000000000000
1465052197 | 2016-06-04 10:56:37 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.129 THA 000000000000
1465052197 | 2016-06-04 10:56:37 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.133 THA 000000000000
1465052198 | 2016-06-04 10:56:38 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.129 THA 000000000000
1465052198 | 2016-06-04 10:56:38 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.133 THA 000000000000
1465052198 | 2016-06-04 10:56:38 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.137 THA 000000000000
1465052198 | 2016-06-04 10:56:38 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.130 THA 000000000000
1465052198 | 2016-06-04 10:56:38 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.138 THA 000000000000
1465052199 | 2016-06-04 10:56:39 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.133 THA 000000000000
1465052199 | 2016-06-04 10:56:39 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.137 THA 000000000000
1465052199 | 2016-06-04 10:56:39 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.138 THA 000000000000
1465052199 | 2016-06-04 10:56:39 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.142 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.141 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.137 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.145 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.139 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.143 THA 000000000000
1465052200 | 2016-06-04 10:56:40 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.147 THA 000000000000
1465052201 | 2016-06-04 10:56:41 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.141 THA 000000000000
1465052201 | 2016-06-04 10:56:41 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.145 THA 000000000000
1465052202 | 2016-06-04 10:56:42 | 7 | ARP OPER 0001 SPA 010.xxx.yyy.156 SHA xx:xx:xx:xx:xx:xx TPA 010.xxx.yyy.145 THA 000000000000

## TCP Activity

1465052170 | 2016-06-04 10:56:10 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:43254 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.011:7
1465052171 | 2016-06-04 10:56:11 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:40567 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.015:7
1465052175 | 2016-06-04 10:56:15 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:33070 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.031:7
1465052176 | 2016-06-04 10:56:16 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:50182 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.035:7
1465052180 | 2016-06-04 10:56:20 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:39832 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.052:7
1465052181 | 2016-06-04 10:56:21 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:44154 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.056:7
1465052182 | 2016-06-04 10:56:22 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:41641 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.060:7
1465052183 | 2016-06-04 10:56:23 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:51261 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.064:7
1465052185 | 2016-06-04 10:56:25 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:56714 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.072:7
1465052186 | 2016-06-04 10:56:26 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:33548 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.076:7
1465052190 | 2016-06-04 10:56:30 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:55249 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.092:7
1465052194 | 2016-06-04 10:56:34 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:53866 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.109:7
1465052195 | 2016-06-04 10:56:35 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:54962 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.113:7
1465052196 | 2016-06-04 10:56:36 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:44842 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.117:7
1465052197 | 2016-06-04 10:56:37 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:54319 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.121:7
1465052198 | 2016-06-04 10:56:38 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:55075 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.125:7
1465052199 | 2016-06-04 10:56:39 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:49624 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.129:7
1465052200 | 2016-06-04 10:56:40 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:56255 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.133:7
1465052201 | 2016-06-04 10:56:41 | 3 | :TCP:THREAT: Service decoy, RED 010.xxx.yyy.156:33138 xx:xx:xx:xx:xx:xx calling BLUE 010.xxx.yyy.137:7

By |2017-07-13T12:15:15+00:00June 6th, 2016|blog|0 Comments

About the Author:

Thomas Phillips is the lead "technical guy" at Ridgeback Network Defense. You can email him at tom-at-ridgeback.tillitclicks.com

Leave A Comment