IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Port/Host Scanning Techniques

From: "Dante Mercurio" <Dante () webcti com>
Date: Thu, 4 Mar 2004 17:16:09 -0500
In addition to the methods mentioned, most IDS also use some signature
or protocol analysis to determine that a specific tool was used.
Scanning tools can sometimes be identified by the fact that they have
specific packet information in their payload. While not always
indicative of a full scan, it's often more important to know a specific
application was used to probe your network if even just once.

For instance, Snort has this rule:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends
Scanner UDP Probe"; content: "|0A|help|0A|quite|0A|";
reference:arachnids,308; classtype:attempted-recon; sid:637; rev:2;)

Thus a packet with the payload "|0A|help|0A|quite|0A|" would indicate a
Webtrends Scanner UDP Probe regardless of how many attempts were made.
Since these rules are triggered only on packet contents, there is always
the possibility of a false-positive with a valid packet just happening
to have the same content.

M. Dante Mercurio
dante () webcti com
Consulting Group Manager
Continental Technologies, Inc
www.webcti.com

-----Original Message-----
From: Tarek Amr Abdullah [mailto:tabdullah () salec com eg] 
Sent: Wednesday, February 25, 2004 2:37 AM
To: focus-ids () securityfocus com
Subject: Port/Host Scanning Techniques




Hi there

Does anyone know the current techniques used in IDSs in order to detect
Host Scanning and Port Scanning? I think it is something related to
traffic / protocol anomaly. But does anyone know more details about the
implementation.

Thanks in advance


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: