IDS mailing list archives
Re: slow scans?
From: James Hoagland <jim () SiliconDefense com>
Date: Fri, 14 Feb 2003 09:42:19 -0800
Anton and all, (comments inline) At 1:46 PM -0500 2/12/03, Anton Chuvakin wrote:
All, This is a somewhat generic information query for methods to detect slow (aka "low and slow") port scans and network scans using IDS (or whatever other means). By slow scans I mean port probes occurring over the period of hours to months (!) against the different destinations and even potentially from different sources (both in the form of coordinated and spoofed scans). The only resource I identified was the Spice/Spade from the Silicon Defense site. References in http://www.silicondefense.com/pptntext/Spice-JCS.pdf seem to be pretty outdated and the detection methods are implied to be inferior to that of Spice.
(This didn't entirely parse for me; Spice is what is discussed in that paper, which covers the Spade and Spice approach.)
That paper is indeed a little out of date, mostly in that Spade has been enhanced and Spice is now implemented, experimented with, and commercially available.
Starting with the releases from last October, Spade can look for non-SYN probes, can look for responses to anomalous traffic to reduce false positives, and makes available additional detection approaches. For more information, see the README.Spade and Usage.Spade files, which can be found in the distribution, and here:
http://www.silicondefense.com/software/spice/Spice is now commercially available. It is a featured component of the Silicon Defense CounterStealth CS1. See:
http://www.silicondefense.com/
Also, the classic X packets in Y second to Z port/hosts seem to be pretty useless for truly slow scans, such as those spanning days and weeks. Plotting pictures of sequential port accesses seem to only reveal the sequential scans from a single source against a single destination, which are relatively easy to pick up. Anything more high tech?
Agreed that this approach is pretty useless against slow scans and is difficult to apply effectively against scans where the source IPs vary (either due to the scan being coordinated with different scanning hosts or due to being in a position to see responses if the source IPs are forged).
And finally, does anybody really care? I know for sure that some folks do, but I suspect their percentage is reeeally small. Is that so?
Some do. I can't go into details but elements of the US government do and some companies do. Though perhaps more should care.
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: The Cyberwar Defense Company --- *| |* jim () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
Current thread:
- slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)
- Re: slow scans? Tod Beardsley (Feb 18)
- RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Ron Gula (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)