Ganu, As much fun as it's not, the only way to tell what tool someone is running against you is to download the tools, run them in a lab, record the results, and compare. The very common tools are already built into signatures, but you will quickly find that 'NMAP Scan' isn't always (or even very often) nmap. If your using an open tool like snort, look at the rules that are firing and see what they look at to identify the attack. then you can look for other things that cause that same signature to fire. Good Luck, Keith -----Original Message----- From: Ganu Skop [mailto:skopganuat_private] Sent: Thursday, October 10, 2002 12:04 AM To: loganalysisat_private Subject: [logs] Fight Back Hi all, I could not recall if there is any discussion on the matter regarding detecting a tool that is used for _doing_evil_stuff. What I am trying to do is ; to be able to detect what kind of tool that is used in probing/scanning/evil_stuff. Most IDS will detect if there is hping2, nmap , cybercop. But what abt other ? such as nemesis and most of web scanner such as stealth, screaming cobra, nikto ? I really hope to be able to sort out what kind of command that is used when an intruder uses nmap ( be it nmap -sX, -sS , -sT and etc) Thanks -skop ===== //skopganu __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:31:12 PDT