IDS mailing list archives
Re: slow scans?
From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Wed, 12 Feb 2003 14:15:21 -0500
And finally, does anybody really care? I know for sure that some folks do, but I suspect their percentage is reeeally small. Is that so?
I cut your e-mail down to this 'summary statement'. You are right that only few people care. Firstly, 'slow scans' are hard to detect, and even worse, frequently hard to define. Given the high background noise one can expect on any internet facing IP address (CR, Nimda, SqlSlammer, IRC probes...), it is hard to detect anything 'different'. On the other hand, do people actually use slow scans or do they rather use quick and loud scans from a throw-away source? Another question is: What would you do different if you know someone is scanning you slowly? If there is nothing you would change in your procedure, there is no reason to detect it. Would you provide some false information to the scanner (e.g. put up some form of honeypot to see if the attacker follows up)? As for tools: The main issue is to use an IDS / Log management system that can handle enough logs to recognize these probes. Shadow comes to mind as a solution. -- -------------------------------------------------------------------- jullrich () euclidian com Collaborative Intrusion Detection join http://www.dshield.org
Current thread:
- slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)
- Re: slow scans? Tod Beardsley (Feb 18)
- RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Ron Gula (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)