Security Incidents mailing list archives
Re: Assistance and advice request
From: Michel Kaempf <maxx () SECURITE ORG>
Date: Fri, 28 Jul 2000 22:14:50 +0200
On Thu, Jul 27, 2000, Kirklin Spencer wrote:
Situation two. Slow Scan. to suspect that it is a probe. Again, what tools might I use and how should I be using them (and who should I be telling)?
I can tell you how I handle slow scans with snort, perhaps it will give you some ideas, perhaps we can find a better way to handle them. I use snort to monitor a huge network, both the subnet hosts and the internet hosts are monitored. As I use the excellent snort rules from http://www.snort.org/ I realized that a tool was needed to sort the snort alert files. And I don't use the portscan preprocessor, because I find setting arbitrary values of timing and repetition in order to detect portscans is not reliable, it cannot detect slow scans, and it triggers a lot of false positives. I wrote a little program, 5n0r7, which sorts the snort alert files, and allows one to easily find out attacks by looking at 5n0r7's output. If you run 5n0r7 on an alert file that is beeing filled by snort for a long time, you will see the slow scans. You can downloadf it from ftp://snort.via.ecp.fr/5n0r7/5n0r7.c I will write a second version as soon as possible because I need a bunch of new features. I hope you can find it useful. Best regards, -- MaXX
Current thread:
- Assistance and advice request Kirklin Spencer (Jul 28)
- Re: Assistance and advice request Greg A. Woods (Jul 29)
- Re: Assistance and advice request Michel Kaempf (Jul 29)
- Re: Assistance and advice request Bill Pennington (Jul 29)
- Re: Assistance and advice request Adam Boileau (Jul 31)