Ganu, So basically, if I understand what you're saying, you're not really so much looking for "evil stuff" as you are trying to identify the tool being used...correct? Given that there maybe several tools that can do what nmap does, in a similar manner, and given that any combination of switches can be used in nmap - there is even a switch to randomize IP addresses in a scan - one would think that it would be difficult to determine. However...have you tried looking at the snort signatures? Snort is a freeware IDS, and has preprocessors (configurable) for portscans, etc, as well as signatures for a wide range of vulnerabilities and issues. One would think that this would be a great place to start. I'm still not clear on why you're so interested in the tool being used. For example, I review various logs on a daily basis. On web servers, my only interest is any traffic that (a) isn't ordinary (since the server is locked down and only used for a specific purpose, this is easy to do), and (b) returns a 200-series response code. If some kiddie wants to run an automated scanning tool against a system, and just wait while 4xx and 5xx responses are returned...who cares? I don't. I couldn't care less if some kiddie has figured out how to install and run Nessus...these days, such a thing isn't an indicator of technical proficiency at all. --- Ganu Skop <skopganuat_private> wrote: > Hi, > To make it simple ; I'm pretty much looking at how > to > detect what kind of tool the intruder used , say > that > in scanning my network or crawling my homepage , the > question is - does he use nmap or queso ? does he > use > nikto , cybercop or nessus ? > Snort will detect say that Nmap TCP scan and -sS > scan > - but it's still limited. I really would love to > know > what tool the intruder used. > any idea ? > > > > --- H C <keydet89at_private> wrote: > > > > > I could not recall if there is any discussion on > > the > > > matter regarding detecting a tool that is used > for > > > _doing_evil_stuff. > > > > It all depends on what you call "evil stuff". > > > > > What I am trying to do is ; to be able to > detect > > > what kind of tool that is used in > > > probing/scanning/evil_stuff. > > > > I don't see the correlation between probing and > > scanning, and "evil_stuff". > > > > > Most IDS will detect if there is hping2, nmap , > > > cybercop. But what abt other ? such as nemesis > and > > > most of web scanner such as stealth, screaming > > > cobra, nikto ? > > > I really hope to be able to sort out what kind > of > > > command that is used when an intruder uses nmap > ( > > be > > > it nmap -sX, -sS , -sT and etc) > > > > If you're using snort, I'm sure you can find the > > signatures for these scans. > > > > However, it's still not clear to me what you're > > looking for. So what if someone scans you? Is it > > consuming an inordinate amount of bandwidth, and > > preventing your customers from communicating w/ > you? > > > > I watch an IIS server that gets scanned all the > > time...with no luck. Basically, the scans give me > > something to look at in the log files, and nothing > > else... > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > Faith Hill - Exclusive Performances, Videos & More > > http://faith.yahoo.com > > > ===== > //skopganu > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:19:29 PDT