IDS mailing list archives
RE: Port/Host Scanning Techniques
From: "MARTIN M. Bénoni" <benoni_martin () hotmail com>
Date: Thu, 26 Feb 2004 10:19:45 +0000
Hi!Well, it depends a little bit on what kind of IDS you have set up, but usually the ways to detect port scanning are: - How much ports are scanned in a given time (for ex. more than 5 ports attempts in less than 2 minutes mean a port scan),
- the types of requests (XFin, Xmas, Null, ...), - the behaviour (sending a RST after a SYN - SYN/ACK instead of a ACK), - ...
From: "Tarek Amr Abdullah" <tabdullah () salec com eg> To: <focus-ids () securityfocus com> Subject: Port/Host Scanning Techniques Date: Wed, 25 Feb 2004 09:37:19 +0200 Hi there Does anyone know the current techniques used in IDSs in order to detect Host Scanning and Port Scanning? I think it is something related to traffic / protocol anomaly. But does anyone know more details about the implementation. Thanks in advance --------------------------------------------------------------------------- ---------------------------------------------------------------------------
_________________________________________________________________Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Port/Host Scanning Techniques Tarek Amr Abdullah (Feb 25)
- Re: Port/Host Scanning Techniques James Fields (Feb 27)
- <Possible follow-ups>
- RE: Port/Host Scanning Techniques MARTIN M. Bénoni (Feb 26)