Bugtraq mailing list archives
Re: BoS: IP Port Scan Detector.
From: mcn () EnGarde com (Mike Neuman)
Date: Sun, 3 Dec 1995 15:52:24 -0600
Three things:
Darren Reed <avalon () coombs anu edu au> wrote: It doesn't look for Stealth Scans by their signiture (half-open connections and using ACKs, etc), but just registers all packets sent to a select number of ports. The higher the number of ports `hit' by a given host, the higher its score for probability of having done a port scan.
1) I haven't looked at the code, but it would seem a couple things were significant in this approach: - What happens if a firewall is blocking some of the "sensitive" ports? (e.g. ports 1-100 but not 23 get scanned) - Time would seem to be significant. (e.g. What if I scan a new port every 5 minutes (or whatever)) And if the timing is too small, a busy server will most likely get flagged as being scanned. 2) You didn't mention if your half-open port scanner was available. I wrote one a long time ago which is freely available. If anyone would like to grab a copy of it, you can find it in the intrusion section of my home page. It only runs under SunOS 4.x, but it's basically just a proof of concept. :-) http://www.engarde.com/~mcn 3) Are firewall logging packages vulnerable to this? (ie. Does the firewall only log/alert on the existance of a fully established connection, or merely on the first SYN?) -Mike mcn () EnGarde com
Current thread:
- Re: BoS: IP Port Scan Detector. Mike Neuman (Dec 03)