IDS mailing list archives
RE: Port/Host Scanning Techniques
From: "Dante Mercurio" <Dante () webcti com>
Date: Thu, 4 Mar 2004 17:16:09 -0500
In addition to the methods mentioned, most IDS also use some signature or protocol analysis to determine that a specific tool was used. Scanning tools can sometimes be identified by the fact that they have specific packet information in their payload. While not always indicative of a full scan, it's often more important to know a specific application was used to probe your network if even just once. For instance, Snort has this rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content: "|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:2;) Thus a packet with the payload "|0A|help|0A|quite|0A|" would indicate a Webtrends Scanner UDP Probe regardless of how many attempts were made. Since these rules are triggered only on packet contents, there is always the possibility of a false-positive with a valid packet just happening to have the same content. M. Dante Mercurio dante () webcti com Consulting Group Manager Continental Technologies, Inc www.webcti.com -----Original Message----- From: Tarek Amr Abdullah [mailto:tabdullah () salec com eg] Sent: Wednesday, February 25, 2004 2:37 AM To: focus-ids () securityfocus com Subject: Port/Host Scanning Techniques Hi there Does anyone know the current techniques used in IDSs in order to detect Host Scanning and Port Scanning? I think it is something related to traffic / protocol anomaly. But does anyone know more details about the implementation. Thanks in advance ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- RE: Port/Host Scanning Techniques Dante Mercurio (Mar 08)
- <Possible follow-ups>
- Re: Port/Host Scanning Techniques todb (Mar 12)