Penetration Testing mailing list archives

Re: [PEN-TEST] Undetectible NMAP scans

From: Aj Effin ReznoR <aj () REZNOR COM>
Date: Sun, 27 Aug 2000 11:58:04 -0700

Jose Nazario wrote:


On Thu, 24 Aug 2000, Devdas Bhagat wrote:

Its moved to http://www.openwall.com/scanlogd .


while scanlogd can detect them, along with some other tools (scanlogd is
my personal favorite), you can't stop stealth scans, either, without a
packet filter that lets you block on the basis of arbitrary flags. ichains
doesn't have that capability, as i recall. (i use OpenBSD/ipfilter
firewalls, FWIW.)


Even tho people recommend Snort over it, I still prefer Abacus PortSentry
(http://www.psionic.com/abacus/portsentry/).

It's config allows for active response to portscans.  It contains a list of
defaults for ipfwadm as well as ipchains for a variety of OS flavors.  Given the
manner it works in, I reckon it'd be no problem at all to deploy it functioning
with iptables/ipfilters.  Also, if you don't care to drop routes, it will dump
offending IPs into hosts.deny.

BSD Today has an article at http://www.bsdtoday.com/2000/July/Features233.html
as well.

Psionic offers a log analyzer, LogCheck, on their site also.  Works very well in
conjunction with Portsentry or Snort.

-aj.

Current thread:

[PEN-TEST] Undetectible NMAP scans Steve Cody (Aug 22)
- Re: [PEN-TEST] Undetectible NMAP scans Stefan Suurmeijer (Aug 23)
  - Re: [PEN-TEST] Undetectible NMAP scans Devdas Bhagat (Aug 24)
    - Re: [PEN-TEST] Undetectible NMAP scans Jose Nazario (Aug 26)
    - Re: [PEN-TEST] Undetectible NMAP scans Aj Effin ReznoR (Aug 27)
    - Re: [PEN-TEST] Undetectible NMAP scans Swen Schisler (Aug 28)
    - Re: [PEN-TEST] Undetectible NMAP scans Jan Muenther (Aug 26)
- Re: [PEN-TEST] Undetectible NMAP scans Andreas Hasenack (Aug 24)