Recording slow scans

[Darren Reed <darrenr () reed wattle id au>]

Something that this "slow scan" business brings to mind is that there is
now an appropriate tool to use for detecting this - NFR - although I'm
guessing more people are seeing it as a means to implement an IDS.  Is
anyone using NFR for the purpose of generating "long" histories and then
examining those as a whole rather than using it to look for current events ?
IDS's are more into answering the question of "is someone breaking in now ?"
and seem to provide little (if any) capability for doing real statistical
analysis of data.  Is anyone pumping IDS or NFR data into a real database
(Oracle, etc) for later analysis ?

There's one other important issue to this and that is to keep track of all
IP and port pairs which communicate, regardless of TCP flags, etc.  Whether
or not your paranoia requires that level of effort is another thing...

Btw, in the past people have often commented about attempts to cut the
transmit ethernet cable.  This is usually so that a host is "invisible"
to others at the ethernet level.  A recent acquisition of mine has been
a UTP Y-adapter (2 sockets, 1 plug) which has an interesting side-effect
of not allowing the two machines connected into the sockets to communicate
_directly_ but they can both use it to communicate to/through whatever is
being plugged into.  Not perfect but an interesting toy to play with for
these purposes.

darren