RE: Port/Host Scanning Techniques

From: Dante Mercurio (Dante_at_webcti.com)
Date: 03/04/04

  • Next message: Shaiful: "Re: Any Intrusion Detection Appliances handle wired and wireless networks?"
    Date: Thu, 4 Mar 2004 17:16:09 -0500
    To: "Tarek Amr Abdullah" <tabdullah@salec.com.eg>, <focus-ids@securityfocus.com>
    
    

    In addition to the methods mentioned, most IDS also use some signature
    or protocol analysis to determine that a specific tool was used.
    Scanning tools can sometimes be identified by the fact that they have
    specific packet information in their payload. While not always
    indicative of a full scan, it's often more important to know a specific
    application was used to probe your network if even just once.

    For instance, Snort has this rule:
    alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends
    Scanner UDP Probe"; content: "|0A|help|0A|quite|0A|";
    reference:arachnids,308; classtype:attempted-recon; sid:637; rev:2;)

    Thus a packet with the payload "|0A|help|0A|quite|0A|" would indicate a
    Webtrends Scanner UDP Probe regardless of how many attempts were made.
    Since these rules are triggered only on packet contents, there is always
    the possibility of a false-positive with a valid packet just happening
    to have the same content.

    M. Dante Mercurio
    dante@webcti.com
    Consulting Group Manager
    Continental Technologies, Inc
    www.webcti.com

    -----Original Message-----
    From: Tarek Amr Abdullah [mailto:tabdullah@salec.com.eg]
    Sent: Wednesday, February 25, 2004 2:37 AM
    To: focus-ids@securityfocus.com
    Subject: Port/Host Scanning Techniques

    Hi there

    Does anyone know the current techniques used in IDSs in order to detect
    Host Scanning and Port Scanning? I think it is something related to
    traffic / protocol anomaly. But does anyone know more details about the
    implementation.

    Thanks in advance

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.
    Download your free trial at 
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ---------------------------------------------------------------------------
    

  • Next message: Shaiful: "Re: Any Intrusion Detection Appliances handle wired and wireless networks?"