In the latest CERT report http://www.cert.org/incident_notes/IN-98.04.html (for some reason it's not provieded as a text file in the ftp directories) it mentiones host identification using TCP connection characteristics as the means to achieve this. Another possible method is to look at ICMP replies to various packets (AUUG '98, "Remote Operating System Identification" - Anthony Osborne) - can't they all just "get it right" ?! Defending against the ICMP variation isn't too hard, but I'm not sure it could be successfully done for TCP if you aren't using a proxy firewall with real proxy agents (all you give away is information about it) for all TCP connections. Another point of interest in the latest "IN", is "slow scans". Some 5 or so years ago I made a somewhat lame (by current standards) effort at writing a program to log all tcp connection activity on a LAN, log that information and then analyze it. The key is keeping a long history. If, for example, you have over 2 months have had a packet targetted at every TCP port from 1 to 1024, then I'd wager the likelihood of that being a complete scan as very high. It's the sort of thing you'd _expect_ an IDS to be already capable of doing. The key to this really is you have to ignore the source IP addresses (well, maybe excluding those which you know 100% to be non-compromised) and just aggregate results based on destination ip/port numbers. Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:33 PDT