Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Fri, 3 Mar 2000 08:33:31 -0700
1Lt Rob Lee writes:
1. Consensual Monitor: This is a monitor that is limited to only being able to monitor on ports that are bannered. If your SUBJECT has not seen a banner you cannot monitor from that port or IP. You can only monitor on ports that do have banners for ANY IP incoming into that machine. You can only monitor the SUBJECTs IP on ANY port ONLY if you can show that the SUBJECT has seen the banner at least once.
For stuff like telnet, FTP and even SMTP, "appropriate use" banners are
just good practice for any machine, even on a internal protected network.
However, there are other protocols with no provisions for banners, e.g.,
NFS. What can be done for these services?
ALSO, if a script kiddie uses, of all things, a *script* and never sees the
banner, would this make monitoring illegal?
ALSO, if you're a privately hired security professional (as opposed to a
criminal law enforcement professional), does this restriction still apply?
Chuck
Current thread:
- Re: Mail Server attack, (continued)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 16)
- Re: Cracked; rootkit - entrapment question? Michael Stone (Mar 17)
- Re: Cracked; rootkit - entrapment question? Eric the Fruitbat (Mar 17)
- Re: Cracked; rootkit - entrapment question? David Pick (Mar 20)