IDS mailing list archives
Re: Port/Host Scanning Techniques
From: todb () planb-security net
Date: Tue, 9 Mar 2004 11:06:00 -0600 (CST)
Dante Mercurio wrote:
In addition to the methods mentioned, most IDS also use some signature or protocol analysis to determine that a specific tool was used.
This reminds me -- is IDing the tool ever tactically useful? I mean, I like to know exactly what the bad guy did and how, and I like to be able to say with confidence that such-and-such traffic was generated by this-or-that tool. It's an ego boost and it impresses some people. But, as far as reacting to a particular event: does it really matter if an attacker used WhatsUp vs Cyberping vs nmap? I'm thinking it may have some bearing if you're a cop, or plan to press a legal response. It could also give you a hint about the attacker's platform, but knowing this seems meaningful only if you plan on attacking back (and /that/ is a different discussion altogether). -- "It's okay to yell 'fire' in a crowded theater if the theater is actually on fire." Tod Beardsley | www.planb-security.net --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- RE: Port/Host Scanning Techniques Dante Mercurio (Mar 08)
- <Possible follow-ups>
- Re: Port/Host Scanning Techniques todb (Mar 12)