R: host-based ids evaluation
From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)Date: 08/16/02
- Previous message: Gianpiero Porchia: "R: host-based ids evaluation"
- In reply to: Detmar Liesen: "RE: host-based ids evaluation"
- Next in thread: Detmar Liesen: "Re: R: host-based ids evaluation"
- Reply: Detmar Liesen: "Re: R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it> To: "Detmar Liesen" <counter.spy@gmx.de> Date: Fri, 16 Aug 2002 19:22:53 +0200
Detmar wrote:
>Shouldn't a decent HIDS detect a shell with no password getting bound to a
>TCP port???
I'm using an NFR-NID, and I've wrote a custom N-code script that can detect
connections, over strange ports. I've said that in a my precedent post, we
can do that easily writing a hosts list:
192.168.0.3, 80,25,22
192.168.0.4, 21,22
...
and for every connection not in this list, my NIDS is raising an alert.
Obiuvsly, the script can detect shells on that connection (example looking
for a prompt, or for a shell command - dir or ls).
Bye
- gianpiero
Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it
- Previous message: Gianpiero Porchia: "R: host-based ids evaluation"
- In reply to: Detmar Liesen: "RE: host-based ids evaluation"
- Next in thread: Detmar Liesen: "Re: R: host-based ids evaluation"
- Reply: Detmar Liesen: "Re: R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
