R: host-based ids evaluation
From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)Date: 08/19/02
- Previous message: Peter-Paul Haars: "Airsnort on MAc os X"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it> To: "IDS Focus" <focus-ids@securityfocus.com> Date: Mon, 19 Aug 2002 12:58:19 +0200
Detmar wrote:
>Sorry, but you're off topic.
>We are discussing __host__-based ids.
>NFR NID is a network IDS.
Ok, you are right, the NID is a network IDS, and is out of this topic.
But, I've posted my last mail, only to show how you can look for strange
service on your boxes. Since I believe that a stack based IDS is a subset of
an HIDS, I think that we can detect netcat using a network traffic analyzer,
when there isn't an HIDS that looks at netstat output.
The netstat solution, IMHO is fine, but I think there are problems with that
you are looking for, example if you are looking for the executable name,
this name can be changed. But if u are looking for TCP (or UDP) ports that
shouldn't be open, we are looking for the same solution, by network level
(network traffic), and by kernel level (bound ports). The former is more
active, because detect the netcat server only when there are comms, the
latter is more proactive, because can detect the server even without comms.
Bye
- gianpiero
Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it
- Previous message: Peter-Paul Haars: "Airsnort on MAc os X"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
