Re: slow scans?

["Johannes Ullrich" <jullrich () euclidian com>]

> And finally, does anybody really care? I know for sure that some folks do,
> but I suspect their percentage is reeeally small. Is that so?

I cut your e-mail down to this 'summary statement'.

You are right that only few people care. Firstly, 'slow scans' are
hard to detect, and even worse, frequently hard to define. Given
the high background noise one can expect on any internet facing
IP address (CR, Nimda, SqlSlammer, IRC probes...), it is hard to 
detect anything 'different'.

On the other hand, do people actually use slow scans or do they rather
use quick and loud scans from a throw-away source? 

Another question is: What would you do different if you know someone
is scanning you slowly? If there is nothing you would change in your
procedure, there is no reason to detect it. Would you provide some
false information to the scanner (e.g. put up some form of honeypot
to see if the attacker follows up)? 

As for tools: The main issue is to use an IDS / Log management system
that can handle enough logs to recognize these probes. Shadow comes to
mind as a solution.


-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org