Nmap Announce mailing list archives
Re: Followig the detection thread
From: Dave Dittrich <dittrich () cac washington edu>
Date: Fri, 29 Jan 1999 11:52:19 -0800 (PST)
On Fri, 29 Jan 1999, Lance Spitzner wrote:
Of course, since I'm using TCP wrappers, it will not detect -sS or -sF scans. Not the ultimate soltion, but something I've been playing with and having good results.
Lance, Because of the more "stealthy" nature of FIN and SYN scans (the latter used in attacks here at the UW just two days ago), I'd say that using tcpdump methods as done in nfr, shadow, or bro (three intrusion detection systems) would be more effective than TCP connect() scan monitoring. There's also the method described in Phrack Vol 8, Issue 53, article 13 ("Designing and Attacking Port Scan Detecion Tools") and don't forget to read the SNI paper mentioned in therein ("Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection.") -- Dave Dittrich Client Services dittrich () cac washington edu Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>
Current thread:
- Followig the detection thread Lance Spitzner (Jan 29)
- Re: Followig the detection thread Dave Dittrich (Jan 29)
- Re: Followig the detection thread Clifford Hammerschmidt (Jan 29)
- Re: Followig the detection thread Simple Nomad (Jan 29)
- Message not available
- Re: Followig the detection thread Jeremy Johnson (Jan 29)