Re: Can anyone guess at this "scan"??

[Sarah Cleveland <monster () farm9 com>]

I would agree that snort is probably the best tool. You can download snort
from the homepage: http://www.snort.org/
~Sarah

Sarah Cleveland
Zope Kitten
farm9.com, Inc.
WWW: http://www.farm9.com
Email: monster () farm9 com
Phone: 415-863-8035

> -----Original Message-----
> From: Los, Ralph [mailto:rlos () ENVESTNET COM]
> Sent: Thursday, January 11, 2001 10:38 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Can anyone guess at this "scan"??
>
>
>       I wish I could get packet dumps for you, but I don't have that
> facility, and as I'm relatively new to this type of task, I
> don't even have
> a facility set up to do such a task...learning quickly.

snort is an excellent tool for this task.

>       Maybe this'll help someone track this down...the other
> end has been
> relatively slow in responding, but they swore they would
> investigate.  I
> will post again should I hear any more news from their
> security team.  In
> the meantime, ...is there a tool out there that is known to
> run from a *NIX
> box that would be doing NetBIOS scans like the one seen below
> in my post?

I can think of lots of tools that run on Linux that could generate
this type of traffic.  Any tool that can specify the source and
destination port could generate traffic that matches the pattern you
show(hping, nmap etc...).

john

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOl4fJdwfv0dRtjgLEQKgeQCgitowNzz9SB1ycz9U975lGaMDiAkAn0r0
PfHaJhOb+65XDisWwkj23bdx
=owkX
-----END PGP SIGNATURE-----