Snort mailing list archives
Re: ICMP Ping NMAP
From: "Vinay A. Mahadik" <VAMahadik () lbl gov>
Date: Tue, 30 Jul 2002 15:54:10 -0700
"larosa, vjay" wrote:
Hello Everyone, Unfortunately I am still working on this same problem. I do have some more information to share so maybe some one out there can help me solve this problem. Here are the characteristics,
I could be wrong but it looks like a custom traceroute-like tool to me.. perhaps your firewall blocks UDP high ports etc?.. This actually reminds of a question I think I had posted before and was never answered.. what's the point in having signatures for *tools* of reconnaissance (nmap, queso etc). E.g. in this case, assuming it is a scan, and knowing that the TTL is changing, the attacker is probably root and thus can randomize most of the headers/fields that are irrelevant to scanning. Simply because some nice/standard scanners use specific tags/marks shouldn't mean an IDS should include rules for all such that are created ever? There are so many such rules in Snort.. and I fail to see how such sigs are useful given the overhead in searching through all (an increasing number) of them.. Any thoughts? Thanks, Vinay. -- Vinay A. Mahadik Summer Intern Computer Protection Program Lawrence Berkeley National Laboratory (510) 495 2618 ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Ping NMAP larosa, vjay (Jul 17)
- Re: ICMP Ping NMAP Martin Roesch (Jul 17)
- <Possible follow-ups>
- RE: ICMP Ping NMAP larosa, vjay (Jul 17)
- RE: ICMP Ping NMAP larosa, vjay (Jul 30)
- Re: ICMP Ping NMAP Vinay A. Mahadik (Jul 31)
- RE: ICMP Ping NMAP larosa, vjay (Jul 31)