IDS mailing list archives

Re: slow scans?

From: James Hoagland <jim () SiliconDefense com>
Date: Fri, 14 Feb 2003 09:42:19 -0800

Anton and all,

(comments inline)

At 1:46 PM -0500 2/12/03, Anton Chuvakin wrote:

All,

This is a somewhat generic information query for methods to detect slow
(aka "low and slow")  port scans and network scans using IDS (or whatever
other means).

By slow scans I mean port probes occurring over the period of hours to
months (!) against the different destinations and even potentially from
different sources (both in the form of coordinated and spoofed scans).

The only resource I identified was the Spice/Spade from the Silicon
Defense site. References in
http://www.silicondefense.com/pptntext/Spice-JCS.pdf seem to be pretty
outdated and the detection methods are implied to be inferior to that of
Spice.

(This didn't entirely parse for me; Spice is what is discussed inthat paper, which covers the Spade and Spice approach.)

That paper is indeed a little out of date, mostly in that Spade hasbeen enhanced and Spice is now implemented, experimented with, andcommercially available.

Starting with the releases from last October, Spade can look fornon-SYN probes, can look for responses to anomalous traffic to reducefalse positives, and makes available additional detection approaches.For more information, see the README.Spade and Usage.Spade files,which can be found in the distribution, and here:


    http://www.silicondefense.com/software/spice/

Spice is now commercially available. It is a featured component ofthe Silicon Defense CounterStealth CS1. See:


    http://www.silicondefense.com/

Also, the classic X packets in Y second to Z port/hosts seem to be pretty
useless for truly slow scans, such as those spanning days and weeks.
Plotting pictures of sequential port accesses seem to only reveal the
sequential scans from a single source against a single destination, which
are relatively easy to pick up. Anything more high tech?

Agreed that this approach is pretty useless against slow scans and isdifficult to apply effectively against scans where the source IPsvary (either due to the scan being coordinated with differentscanning hosts or due to being in a position to see responses if thesource IPs are forged).

And finally, does anybody really care? I know for sure that some folks do,
but I suspect their percentage is reeeally small. Is that so?

Some do. I can't go into details but elements of the US governmentdo and some companies do. Though perhaps more should care.


Best regards,

  Jim

--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|

Current thread:

slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
  - Re: slow scans? Anton Chuvakin (Feb 12)
  - Re: slow scans? James Hoagland (Feb 14)
    - Re: slow scans? Tod Beardsley (Feb 18)
    - RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Ron Gula (Feb 12)
  - Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)