Re: Port Scanning.
Date: Wed, 22 Dec 2004 12:17:01 -0800 To: DWreck <firstname.lastname@example.org>
DWreck(email@example.com)@Wed, Dec 22, 2004 at 08:29:08AM
> Most IPS admins do not block port scans. The data is fed to a SIM to
> keep a "low priority" eye on who may or may not be profiling you.
> Most people using IPS's have them tuned to block nachi type protocol
> anomalies etc.
Sure .. but TCP SYN port scanning was just one example. Any UDP/ICMP
(connectionless) or TCP non-established connection based triggers can be
spoofed with unicornscan as well. The only thing that isn't currently
easy to do is TCP full connection payload injection from spoofed IP's.
We're working on a way to do that though :).
-- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - firstname.lastname@example.org M - (949) 394-2033