slow scans?

All,

This is a somewhat generic information query for methods to detect slow (aka "low and slow") port scans and network scans using IDS (or whatever other means).

By slow scans I mean port probes occurring over the period of hours to months (!) against the different destinations and even potentially from different sources (both in the form of coordinated and spoofed scans).

The only resource I identified was the Spice/Spade from the Silicon Defense site. References in
http://www.silicondefense.com/pptntext/Spice-JCS.pdf seem to be pretty outdated and the detection methods are implied to be inferior to that of Spice.

Also, the classic X packets in Y second to Z port/hosts seem to be pretty useless for truly slow scans, such as those spanning days and weeks. Plotting pictures of sequential port accesses seem to only reveal the sequential scans from a single source against a single destination, which are relatively easy to pick up. Anything more high tech?

And finally, does anybody really care? I know for sure that some folks do, but I suspect their percentage is reeeally small. Is that so?

Thanks a lot for any tips, references and information pointers.

Best,

--
  Anton A. Chuvakin, Ph.D., GCIA
     
http://www.chuvakin.org
   
http://www.info-secure.org

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek