Re: IDS: Re: SANS & Ranum on DoS Trojans for Solaris

[Clarissa Cook <clarissa () UU NET>]

On Wed, 5 Jan 2000, Marcus J. Ranum wrote:

> Dave's tool works by emulating the master's pinging, to get any
> live agents to answerm - essentially giving themselves away. You
> give it a class B network (with various masking options so you can
> select down to class C or individual machines if you want) and it
> just searches each host for an agent, by emulating a master controller.

Actually, it has been modified to take any CIDR block rather than just
a class B and the min/max host flag:

usage: gag [options] <target>
target is CIDR block to scan in form:
        A.B.C.D/mask
Options:
        [-v] turns on verbosity
        [-D] turns on debugging
        [-s] sleep in ms

Clarissa