Security Incidents mailing list archives
remote intrusion detection
From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Thu, 10 Feb 2000 18:47:33 -0800
Hi, I've been working a while on a remote intrusion detection tool (rid). It's basically ngrep paired w/ the ability to form custom packets. The idea is that you can easily configure it to search out for common hacks, such as a root shell on port 1524 (though TCP hasn't been implemented yet), stacheldraht/tfn/trinoo daemons,etc. I've released it earlier than I originally planned due to the recent DDOS attacks. It's new home will be http://www.theorygroup.com/Public/DDOS/ The site itself is still under development, but the tool is available. It's released opensource to anyone and everyone w/ the exception of those using it for illegal purposes, or for scanning others net's without authorization. Though I myself cannot do anything about people using it when they are not suppose to, maybe it will add one more month to the jail sentence for whomever is responsible for yahoo, ebay, etc. FYI, to detect stacheldraht v4 just add the following lines to config.txt begin stach4 send icmp type=0 id=6268 data="" recv icmp type=0 id=669 data="sicken" nmatch=2 end stach4 Any contributions to the source/development (since it's really rough right now) are greatly appreciated! Cheers, david -- #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."
Current thread:
- remote intrusion detection David Brumley (Feb 10)
- NIDS detection feasible? (Re: remote intrusion detection) Mixter (Feb 15)