Hi, Yes - I'm agreed with that. But what I really love to do is to capture the log and do a study on the packet to find out specific behaviour. I'm pretty sure there is different set of behaviour for each of the scanner - such as nikto or nessus. What I'm really looking forward is on how to learn about all these packet behaviour (beside RFC). My current planning is capturing TCPDump packet and dump it to Snort , and at the same time looking forward to dig in deeper on it. More or less is creating a Snort signature type of work. Any advise on looking at packet pattern and signature ? --- Alexandre Dulaunoy <alexat_private> wrote: > On Sun, 13 Oct 2002, Ganu Skop wrote: > > > Hi, > > To make it simple ; I'm pretty much looking at how > to > > detect what kind of tool the intruder used , say > that > > in scanning my network or crawling my homepage , > the > > question is - does he use nmap or queso ? does he > use > > nikto , cybercop or nessus ? > > Snort will detect say that Nmap TCP scan and -sS > scan > > - but it's still limited. I really would love to > know > > what tool the intruder used. > > any idea ? > > Not so easy to do. Tools can be done to act like > any other tools. > > Basic "intruder" will use standard > configuration for Nessus for > example. And there is some behaviour specific > to Nessus. and so > on... > > In general a real intruder will not work like > that. So you'll have > to dig into the capture, logs, ... to find the > correct working of > the intruder. Sometimes, you have some intruder > using basic worms > attack to hide their activities. > > Life is not easy. This is the beauty of Life and > log analysis. > > adulau > > -- > Alexandre Dulaunoy -- http://www.foo.be/ > 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD > --- AD993-6BONE > "People who fight may lose.People who do not fight > have already lost." > Bertolt Brecht > > > __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:12:43 PDT