> I could not recall if there is any discussion on the > matter regarding detecting a tool that is used for > _doing_evil_stuff. It all depends on what you call "evil stuff". > What I am trying to do is ; to be able to detect > what kind of tool that is used in > probing/scanning/evil_stuff. I don't see the correlation between probing and scanning, and "evil_stuff". > Most IDS will detect if there is hping2, nmap , > cybercop. But what abt other ? such as nemesis and > most of web scanner such as stealth, screaming > cobra, nikto ? > I really hope to be able to sort out what kind of > command that is used when an intruder uses nmap ( be > it nmap -sX, -sS , -sT and etc) If you're using snort, I'm sure you can find the signatures for these scans. However, it's still not clear to me what you're looking for. So what if someone scans you? Is it consuming an inordinate amount of bandwidth, and preventing your customers from communicating w/ you? I watch an IIS server that gets scanned all the time...with no luck. Basically, the scans give me something to look at in the log files, and nothing else... __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 10:14:18 PDT