Re: stateful attacks for hostbased NIDS

From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: 05/23/03


Date: Thu, 22 May 2003 23:07:59 -0400

In article <b5bza.11437$AS6.153739@news.chello.at>, franz.bacher@a1.net
says...
> Hi!
>
> I got to implement NIDS functionality into the lwip [1] tcp/ip stack for a
> host based system.
> Therefore i would need some well known attacks that can be matched by a
> statefull inspection (e.g. syn flooding). The name of the attack would be
> sufficient to get more information from google.
>
> Thanks for help!
>
> [1] www.sics.se/~adam/lwip/
>
> --
> Franz Bacher
> Student of Telecommunication & Computer Science
> @ Graz University of Technology
> e-Mail: franz.bacher@a1.net
>
>
>
>

nessus and satan are a couple examples of scanners that test for
exploits that will simulate different attack scenarios.

I believe nmap should set off several alerts, depending on the switches
used. nt users may be a bit more inclined to use the gui version (blech)
;p

-- 
Colonel Flagg
http://www.internetwarzone.org/
Privacy at a click:
http://www.cotse.net 
Wanna ask a question in Usenet?
http://www.tuxedo.org/~esr/faqs/smart-questions.html
Everything about Usenet answered:
http://www.internetwarzone.org/answers.html
America WILL NOT forget 9-11-01


Relevant Pages

  • [NEWS] IGMP Denial of Service Vulnerability
    ... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ...
    (Securiteam)
  • Re: Target based IDS review and discussion in Information Security
    ... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ...
    (Focus-IDS)
  • The Art of Unspoofing
    ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
    (Focus-IDS)
  • The Art of Unspoofing
    ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
    (Bugtraq)
  • Re: MiM Simultaneous close attack
    ... Subject: MiM Simultaneous close attack ... So the packets(dst mac is gg:gg) will goto port3 correctly.(If the same mac presents in two ports,the packets ... >> 2 TCP packets per connection. ... >> to source host and destination host of an active ...
    (Vuln-Dev)