Re: Intrusion Detection was Detected NMAP scan

[Matthew Franz <mdfranz () txdirect net>]

On Wed, 6 Jan 1999, David G. Andersen wrote:

> I can definitely see the utility of this.  You may wish to talk to the 
> folks at all.net - I know they have at least some of this
> functionality (the doing a whois, sending the nastygram) done
> when you annoy their telnet daemon, etc.
>
> (http://www.all.net/)
>
> I'm not sure if this is a part of their deception toolkit or not - I
> haven't really kept up to date on their work.

Many of the IDS "experts"  frown on automated responses and return fire. 
Do you really want "them"  to know that you're watching them.  I thoght
the maint point of DTK is to provide fake services and keep attackers "on
the phone" long enough to gather info. 

Nevertheless, we are working on these kinds of capabilties as part of
Trinux IDS.  We have a prototype of a pop-in floppy-based Honey Pot based
on DTK that Fred Cohen has helped us with.

If any of y'all are interested in doing scripting/coding/testing (or just
brainstorming) in IDS or mapping, check out the Trinux page.  The ranks of
our development team have swelled considerably in the last 6 weeks, but
there's *lots* to do as you can probably imagine. 

-mdf


________________________________________________________________________
 Matthew D. Franz                      I don't go for fancy cars 
 Trinux: A Linux Security Toolkit      for diamond rings or movie stars   
 http://www.trinux.org/                I go for penguins.  Oh Lord I 
 mdfranz () txdirect net                  go for penguins -- Lyle Lovett
------------------------------------------------------------------------