On Sun, 13 Oct 2002, Ganu Skop wrote: > Hi, > To make it simple ; I'm pretty much looking at how to > detect what kind of tool the intruder used , say that > in scanning my network or crawling my homepage , the > question is - does he use nmap or queso ? does he use > nikto , cybercop or nessus ? > Snort will detect say that Nmap TCP scan and -sS scan > - but it's still limited. I really would love to know > what tool the intruder used. > any idea ? Not so easy to do. Tools can be done to act like any other tools. Basic "intruder" will use standard configuration for Nessus for example. And there is some behaviour specific to Nessus. and so on... In general a real intruder will not work like that. So you'll have to dig into the capture, logs, ... to find the correct working of the intruder. Sometimes, you have some intruder using basic worms attack to hide their activities. Life is not easy. This is the beauty of Life and log analysis. adulau -- Alexandre Dulaunoy -- http://www.foo.be/ 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE "People who fight may lose.People who do not fight have already lost." Bertolt Brecht _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 01:05:48 PDT