RE: Port/Host Scanning Techniques
From: Dante Mercurio (Dante_at_webcti.com)
Date: 03/04/04
- Previous message: Dean Smith: "Re: blocking p2p traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Mar 2004 17:16:09 -0500 To: "Tarek Amr Abdullah" <tabdullah@salec.com.eg>, <focus-ids@securityfocus.com>
In addition to the methods mentioned, most IDS also use some signature
or protocol analysis to determine that a specific tool was used.
Scanning tools can sometimes be identified by the fact that they have
specific packet information in their payload. While not always
indicative of a full scan, it's often more important to know a specific
application was used to probe your network if even just once.
For instance, Snort has this rule:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends
Scanner UDP Probe"; content: "|0A|help|0A|quite|0A|";
reference:arachnids,308; classtype:attempted-recon; sid:637; rev:2;)
Thus a packet with the payload "|0A|help|0A|quite|0A|" would indicate a
Webtrends Scanner UDP Probe regardless of how many attempts were made.
Since these rules are triggered only on packet contents, there is always
the possibility of a false-positive with a valid packet just happening
to have the same content.
M. Dante Mercurio
dante@webcti.com
Consulting Group Manager
Continental Technologies, Inc
www.webcti.com
-----Original Message-----
From: Tarek Amr Abdullah [mailto:tabdullah@salec.com.eg]
Sent: Wednesday, February 25, 2004 2:37 AM
To: focus-ids@securityfocus.com
Subject: Port/Host Scanning Techniques
Hi there
Does anyone know the current techniques used in IDSs in order to detect
Host Scanning and Port Scanning? I think it is something related to
traffic / protocol anomaly. But does anyone know more details about the
implementation.
Thanks in advance
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
- Previous message: Dean Smith: "Re: blocking p2p traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
