Nmap Announce mailing list archives
RE: Detected NMAP scan
From: Jordan Ritter <jpr5 () darkridge com>
Date: Wed, 6 Jan 1999 18:40:11 -0500 (EST)
On Wed, 6 Jan 1999, Lamont Granquist wrote:
Also, I've been noticing that while the script kiddies tend to use something like mscan and really pound on your machine that there are some more sophisticated people out there who are portscanning for specific services and are not scanning over a range. Therefore any of these detection methods that rely on X number of hits to closed ports in Y time units is going to fail to stop them.
Hence the real quandary that all IDS and Firewall engineers eventually face: What constitutes anomalous behaviour for a system? For a network? How and in what ways do the many situational characteristics affect the threat level a stray packet can constitute? A kernel patch that denies packets on sight hardly constitutes a valid detection mechanism; it's just plain paranoia with little real logic involved. The idea was good, but the blatant DoS ruins the purpose entirely. Abacus Sentry makes a good step forward in that thresholds and listening ports are configurable, and logging is verbose, but it hardly touches upon the sort of Baselining Technology that this kind of business really requires. How do we know to block out a host completely, or at least to ignore it? Ideally, a baseline mechanism would know what sort of activity to expect, and that which is outside the bounds of normality would be subject to a list of threat assessment questions (based on what we do know). Was the packet from an outside subnet? How often do we see packets that originate from outside subnets? Do we even have (in one example) mountd running? If we do, is it ever used? If so, where does traffic come from usually, local subnets or remote? If remote, how often and from where? And so on. A perceived threat level is to a large degree a function of paranoia, one very important aspect of security. Automatically and competently assessing these, statistically, in what can quickily become a large and complicated decision tree, is where IDS and Firewall vendors make serious money. To date I have not heard of any freeware efforts to model such a system (in a usable package). However, I do recall there being a few groups out there researching common langauge(s) to describe the heuristics involved, which is definitely a step in the right direction. It certainly would be interesting to see what the Free Software Movement could put out there, though.. Cheers, Jordan Ritter Network Security Engineer Systems Administrator Ring-Zero, Netect, Inc. Boston, MA Darkridge Security Solutions
Current thread:
- RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)