IDS mailing list archives
Re: slow scans?
From: Anton Chuvakin <anton () chuvakin org>
Date: Wed, 12 Feb 2003 15:29:51 -0500 (EST)
On the other hand, do people actually use slow scans or do they rather use quick and loud scans from a throw-away source?
Well, that IS exactly what I can't comprehend myself. The only reason is that folks-who-care-about-slow-scans will cut the fast-n-noisy before it finishes by implementing the countermeasures, thus denying the attacker the desired information.
Another question is: What would you do different if you know someone is scanning you slowly? If there is nothing you would change in your
Nothing, what matters is that you'd know they (or, rather, somebody) scanned you.
As for tools: The main issue is to use an IDS / Log management system that can handle enough logs to recognize these probes. Shadow comes to mind as a solution.
Its not only the storage req, the main issue is the algorithm to mine the collected storage. The latter is unclear. I am trying to look for what people did in the area. Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org
Current thread:
- slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)
- Re: slow scans? Tod Beardsley (Feb 18)
- RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Ron Gula (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)