Hi all, Regarding to my previous post (Subject:Fight Back) actually it is about identifying the tool that is being used in probing , scanning and whcking the network and etc. I will run a test on couple of machines where [1] a machine is loaded with tool [2] a machine that will used to sniff the packet with tcpdump and Snort [3] a target machine. I am sure that Snort will detect the works. Here I am looking for an advise on getting the structure of work and etc for identifying the tool. Where can I have a look at this ? -s --- "Seymour, Keith" <KESeymourat_private> wrote: > Ganu, > > As much fun as it's not, the only way to tell what > tool someone is running > against you is to download the tools, run them in a > lab, record the results, > and compare. The very common tools are already built > into signatures, but > you will quickly find that 'NMAP Scan' isn't always > (or even very often) > nmap. > > If your using an open tool like snort, look at the > rules that are firing and > see what they look at to identify the attack. then > you can look for other > things that cause that same signature to fire. > > Good Luck, > > Keith > > -----Original Message----- > From: Ganu Skop [mailto:skopganuat_private] > Sent: Thursday, October 10, 2002 12:04 AM > To: loganalysisat_private > Subject: [logs] Fight Back > > > Hi all, > I could not recall if there is any discussion on the > matter regarding detecting a tool that is used for > _doing_evil_stuff. > What I am trying to do is ; to be able to detect > what kind of tool that is used in > probing/scanning/evil_stuff. > Most IDS will detect if there is hping2, nmap , > cybercop. But what abt other ? such as nemesis and > most of web scanner such as stealth, screaming > cobra, > nikto ? > I really hope to be able to sort out what kind of > command that is used when an intruder uses nmap ( be > it nmap -sX, -sS , -sT and etc) > > Thanks > -skop > > > > ===== > //skopganu > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:36:57 PDT