Hosting Provided By

Re: slow scans?

From: Anton Chuvakin <anton(at)chuvakin.org>
Date: Wed Feb 12 2003 - 16:38:01 EST

Ron,

Thanks for the response.

>It really depends on what you want to know.
Just the fact that an unknown party is doing the reconnoissance.

>For example, if you want to detect someone trying to do slow
RST tracking is a good idea. There are a couple of drawbacks. Networks with many open ports or (the opposite) heavily firewalled to drop packets would not be able to use it.

>"I've seen a RST packet leave from a high port on 100+ machines
What about 5 machines, would you want to trigger on that? RST tracking also seems to suffer from false positives a bit.

>To my knowledge, Dragon and NFR do look for these sorts of
Well, PORTSCAN X Y Z is probably not the best for the slow scans, but I am sure you know better. To test it, I just set the Z on the Dragon I have here to 10000, let's see what will happen.

>Also, protocol-flow anomaly detection tools like
But do they have the good algorithm, that is the question.

>Personally, the advantage is on the attacker, as they can
Very true, especially for multiple sources.

Do you need help?

>one of the things we did in Dragon was to look for 'hot ports'.
Like PSTRIGGER?

>tell with much greater accuracy what has occurred than a
I am about to test that. The concern is whether the random noise will drown the slow scan data in this case...

Best,

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     
http://www.chuvakin.org
   
http://www.info-secure.org

Received on Wed Feb 12 16:50:49 2003

This message: [ Message body ]
Next message: Alfred Huger: "4 line ads on posts"
Previous message: Anton Chuvakin: "Re: slow scans?"
In reply to Ron Gula: "Re: slow scans?"
Next in thread: James Hoagland: "Re: slow scans?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT