IDS mailing list archives
Scanner Brand Detection Paper
From: "Schupp, Hank" <Hank.Schupp () mantech-ist com>
Date: Sun, 28 Aug 2005 00:02:11 -0400
Thanks ahead of the game for any responses . . . I have seen a paper somewhere that described string, flag, and protocol ID's to try and identify which particular application was performing a vulnerability scan. Though every scanner might create indications of a ICMP or Port Sweep, the paper spoke of certain strings or indicators that each product displays: NMAP, FoundScan, Harris STAT, eEye Retina, SNORT, nCircle, SAINT, etc. If anyone can recall the article (about 6-9 months ago?) and can pass me a link or a clue to where to look I would appreciate it much. I am attempting to create some analytics for our IP metadata tool so that it can report the "likely" product that was the source of a detected scan and this would be invaluable. I can, and may do so in the end in any case, run tests to re-create the data - but if I don't 'have' to repeat someone else's work ... I'd rather not! Thanks again all. Hank Schupp Management Technologies International, IS&T www.netwitness.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Scanner Brand Detection Paper Schupp, Hank (Aug 28)