Scanner Brand Detection Paper

["Schupp, Hank" <Hank.Schupp () mantech-ist com>]

Thanks ahead of the game for any responses . . .
 
I have seen a paper somewhere that described string, flag, and protocol
ID's to try and identify which particular application was performing a
vulnerability scan.  Though every scanner might create indications of a
ICMP or Port Sweep, the paper spoke of certain strings or indicators
that each product displays: NMAP, FoundScan, Harris STAT, eEye Retina,
SNORT, nCircle, SAINT, etc.   If anyone can recall the article (about
6-9 months ago?) and can pass me a link or a clue to where to look I
would appreciate it much.   I am attempting to create some analytics for
our IP metadata tool so that it can report the "likely" product that was
the source of a detected scan and this would be invaluable.  I can, and
may do so in the end in any case, run tests to re-create the data - but
if I don't 'have' to repeat someone else's work ... I'd rather not!
Thanks again all.
 
Hank Schupp
Management Technologies International, IS&T
www.netwitness.com  

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------