RE: Detected NMAP scan

[Jordan Ritter <jpr5 () darkridge com>]

On Wed, 6 Jan 1999, Lamont Granquist wrote:

> Also, I've been noticing that while the script kiddies tend to use
> something like mscan and really pound on your machine that there are
> some more sophisticated people out there who are portscanning for
> specific services and are not scanning over a range.  Therefore any of
> these detection methods that rely on X number of hits to closed ports
> in Y time units is going to fail to stop them.

Hence the real quandary that all IDS and Firewall engineers eventually
face:  What constitutes anomalous behaviour for a system?  For a network?  
How and in what ways do the many situational characteristics affect the
threat level a stray packet can constitute?

A kernel patch that denies packets on sight hardly constitutes a valid
detection mechanism; it's just plain paranoia with little real logic
involved.  The idea was good, but the blatant DoS ruins the purpose
entirely.  Abacus Sentry makes a good step forward in that thresholds and
listening ports are configurable, and logging is verbose, but it hardly
touches upon the sort of Baselining Technology that this kind of business
really requires.

How do we know to block out a host completely, or at least to ignore it?
Ideally, a baseline mechanism would know what sort of activity to expect,
and that which is outside the bounds of normality would be subject to a
list of threat assessment questions (based on what we do know).  

Was the packet from an outside subnet?  How often do we see packets that
originate from outside subnets?  Do we even have (in one example) mountd
running?  If we do, is it ever used?  If so, where does traffic come from
usually, local subnets or remote?  If remote, how often and from where?  
And so on.

A perceived threat level is to a large degree a function of paranoia, one
very important aspect of security.  Automatically and competently
assessing these, statistically, in what can quickily become a large and
complicated decision tree, is where IDS and Firewall vendors make serious
money.

To date I have not heard of any freeware efforts to model such a system
(in a usable package).  However, I do recall there being a few groups out
there researching common langauge(s) to describe the heuristics involved,
which is definitely a step in the right direction.  It certainly would be
interesting to see what the Free Software Movement could put out there,
though..


Cheers,

Jordan Ritter                            
Network Security Engineer                        Systems Administrator
Ring-Zero, Netect, Inc.  Boston, MA       Darkridge Security Solutions