Scanner Brand Detection Paper

• Previous message: Joshua Wright: "Re: looking for wireless IDS whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 28 Aug 2005 00:02:11 -0400
To: <focus-ids@securityfocus.com>

Thanks ahead of the game for any responses . . .
 
I have seen a paper somewhere that described string, flag, and protocol
ID's to try and identify which particular application was performing a
vulnerability scan. Though every scanner might create indications of a
ICMP or Port Sweep, the paper spoke of certain strings or indicators
that each product displays: NMAP, FoundScan, Harris STAT, eEye Retina,
SNORT, nCircle, SAINT, etc. If anyone can recall the article (about
6-9 months ago?) and can pass me a link or a clue to where to look I
would appreciate it much. I am attempting to create some analytics for
our IP metadata tool so that it can report the "likely" product that was
the source of a detected scan and this would be invaluable. I can, and
may do so in the end in any case, run tests to re-create the data - but
if I don't 'have' to repeat someone else's work ... I'd rather not!
Thanks again all.
 
Hank Schupp
Management Technologies International, IS&T
www.netwitness.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Joshua Wright: "Re: looking for wireless IDS whitepaper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]