IDS mailing list archives
Re: Port/Host Scanning Techniques
From: "James Fields" <jvfields () tds net>
Date: Thu, 26 Feb 2004 18:05:18 -0500
Well, let's define those first. I understand "port scanning" to mean querying multiple ports on a single target host, and "host scanning" to mean querying multiple hosts on the same port (or pinging them, or whatever). Most IDS products catch these by watching every single connection attempt that goes by, and starting up a sort of state table. There will be a time limit within which the IDS will look for multiple attempts from the same source IP address targeting a server on a bunch of port numbers, or a group of servers on a single port. The length of time over which an IDS sensor has to watch and wait for a pattern to emerge is usually tunable, and can greatly affect the performance due to the large amounts of memory and processing power required to monitor so many connections. ----- Original Message ----- From: "Tarek Amr Abdullah" <tabdullah () salec com eg> To: <focus-ids () securityfocus com> Sent: Wednesday, February 25, 2004 2:37 AM Subject: Port/Host Scanning Techniques
Hi there Does anyone know the current techniques used in IDSs in order to detect Host Scanning and Port Scanning? I think it is something related to traffic / protocol anomaly. But does anyone know more details about the implementation. Thanks in advance --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
-
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Port/Host Scanning Techniques Tarek Amr Abdullah (Feb 25)
- Re: Port/Host Scanning Techniques James Fields (Feb 27)
- <Possible follow-ups>
- RE: Port/Host Scanning Techniques MARTIN M. Bénoni (Feb 26)