Nmap Announce mailing list archives

Re: Followig the detection thread

From: Dave Dittrich <dittrich () cac washington edu>
Date: Fri, 29 Jan 1999 11:52:19 -0800 (PST)

On Fri, 29 Jan 1999, Lance Spitzner wrote:

Of course, since I'm using TCP wrappers, it will not detect -sS or
-sF scans.  Not the ultimate soltion, but something I've been 
playing with and having good results.


Lance,

Because of the more "stealthy" nature of FIN and SYN scans (the latter
used in attacks here at the UW just two days ago), I'd say that using
tcpdump methods as done in nfr, shadow, or bro (three intrusion
detection systems) would be more effective than TCP connect() scan
monitoring.  There's also the method described in Phrack Vol 8, Issue
53, article 13 ("Designing and Attacking Port Scan Detecion Tools") and
don't forget to read the SNI paper mentioned in therein ("Insertion,
Evasion and Denial of Service: Eluding Network Intrusion Detection.")

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>

Current thread:

Followig the detection thread Lance Spitzner (Jan 29)
- Re: Followig the detection thread Dave Dittrich (Jan 29)
- Re: Followig the detection thread Clifford Hammerschmidt (Jan 29)
- Re: Followig the detection thread Simple Nomad (Jan 29)
- Message not available
  - Re: Followig the detection thread Jeremy Johnson (Jan 29)