Re: Port/Host Scanning Techniques

[todb () planb-security net]

Dante Mercurio wrote:
> In addition to the methods mentioned, most IDS also use some
> signature or protocol analysis to determine that a specific tool was used.

This reminds me -- is IDing the tool ever tactically useful? I mean, I 
like to know exactly what the bad guy did and how, and I like to be  able
to say with confidence that such-and-such traffic was generated by 
this-or-that tool. It's an ego boost and it impresses some people. But, 
as far as reacting to a particular event: does it really matter if an 
attacker used WhatsUp vs Cyberping vs nmap?

I'm thinking it may have some bearing if you're a cop, or plan to press  a
legal response. It could also give you a hint about the attacker's 
platform, but knowing this seems meaningful only if you plan on
attacking back (and /that/ is a different discussion altogether).

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net




---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------