Re: [logs] Fight Back

• Previous message: H C: "Re: [logs] Fight Back"
• In reply to: H C: "Re: [logs] Fight Back"
• Next in thread: Alexandre Dulaunoy: "Re: [logs] Fight Back"
• Reply: Alexandre Dulaunoy: "Re: [logs] Fight Back"
• Reply: H C: "Re: [logs] Fight Back"
• Reply: Jose Nazario: "Re: [logs] Fight Back"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
To make it simple ; I'm pretty much looking at how to
detect what kind of tool the intruder used , say that
in scanning my network or crawling my homepage , the
question is - does he use nmap or queso ? does he use
nikto , cybercop or nessus ?
Snort will detect say that Nmap TCP scan and -sS scan
- but it's still limited. I really would love to know
what tool the intruder used.
any idea ?



--- H C <keydet89at_private> wrote:
> 
> > I could not recall if there is any discussion on
> the
> > matter regarding detecting a tool that is used for
> > _doing_evil_stuff.
> 
> It all depends on what you call "evil stuff".
> 
> > What  I am trying to do is ;  to be able to detect
> > what kind of tool that is used in
> > probing/scanning/evil_stuff.
> 
> I don't see the correlation between probing and
> scanning, and "evil_stuff".
> 
> > Most IDS will detect if there is hping2, nmap ,
> > cybercop. But what abt other ? such as nemesis and
> > most of web scanner such as stealth, screaming
> > cobra, nikto ?
> > I really hope to be able to sort out what kind of
> > command that is used when an intruder uses nmap (
> be
> > it nmap -sX, -sS , -sT and etc)
> 
> If you're using snort, I'm sure you can find the
> signatures for these scans.
> 
> However, it's still not clear to me what you're
> looking for.  So what if someone scans you?  Is it
> consuming an inordinate amount of bandwidth, and
> preventing your customers from communicating w/ you?
> 
> I watch an IIS server that gets scanned all the
> time...with no luck.  Basically, the scans give me
> something to look at in the log files, and nothing
> else...
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Faith Hill - Exclusive Performances, Videos & More
> http://faith.yahoo.com


=====
//skopganu

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Alexandre Dulaunoy: "Re: [logs] Fight Back"
• Previous message: H C: "Re: [logs] Fight Back"
• In reply to: H C: "Re: [logs] Fight Back"
• Next in thread: Alexandre Dulaunoy: "Re: [logs] Fight Back"
• Reply: Alexandre Dulaunoy: "Re: [logs] Fight Back"
• Reply: H C: "Re: [logs] Fight Back"
• Reply: Jose Nazario: "Re: [logs] Fight Back"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 00:36:18 PDT