Hi Key and Ganu Do u guys hv any idea about the log files one shud see for intrusion activity wrt Unix ...specifically BSD Unix if possible..? Thanks ABBY >From: loganalysis-requestat_private >Reply-To: loganalysisat_private >To: loganalysisat_private >Subject: LogAnalysis digest, Vol 1 #43 - 2 msgs >Date: Mon, 14 Oct 2002 12:00:05 +0000 > >Send LogAnalysis mailing list submissions to > loganalysisat_private > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.shmoo.com/mailman/listinfo/loganalysis >or, via email, send a message with subject or body 'help' to > loganalysis-requestat_private > >You can reach the person managing the list at > loganalysis-adminat_private > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of LogAnalysis digest..." > > >Today's Topics: > > 1. Re: Fight Back (Ganu Skop) > 2. Re: Fight Back (Alexandre Dulaunoy) > >--__--__-- > >Message: 1 >Date: Sun, 13 Oct 2002 21:01:06 -0700 (PDT) >From: Ganu Skop <skopganuat_private> >Subject: Re: [logs] Fight Back >To: loganalysisat_private > >Hi, >To make it simple ; I'm pretty much looking at how to >detect what kind of tool the intruder used , say that >in scanning my network or crawling my homepage , the >question is - does he use nmap or queso ? does he use >nikto , cybercop or nessus ? >Snort will detect say that Nmap TCP scan and -sS scan >- but it's still limited. I really would love to know >what tool the intruder used. >any idea ? > > > >--- H C <keydet89at_private> wrote: > > > > > I could not recall if there is any discussion on > > the > > > matter regarding detecting a tool that is used for > > > _doing_evil_stuff. > > > > It all depends on what you call "evil stuff". > > > > > What I am trying to do is ; to be able to detect > > > what kind of tool that is used in > > > probing/scanning/evil_stuff. > > > > I don't see the correlation between probing and > > scanning, and "evil_stuff". > > > > > Most IDS will detect if there is hping2, nmap , > > > cybercop. But what abt other ? such as nemesis and > > > most of web scanner such as stealth, screaming > > > cobra, nikto ? > > > I really hope to be able to sort out what kind of > > > command that is used when an intruder uses nmap ( > > be > > > it nmap -sX, -sS , -sT and etc) > > > > If you're using snort, I'm sure you can find the > > signatures for these scans. > > > > However, it's still not clear to me what you're > > looking for. So what if someone scans you? Is it > > consuming an inordinate amount of bandwidth, and > > preventing your customers from communicating w/ you? > > > > I watch an IIS server that gets scanned all the > > time...with no luck. Basically, the scans give me > > something to look at in the log files, and nothing > > else... > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > Faith Hill - Exclusive Performances, Videos & More > > http://faith.yahoo.com > > >===== >//skopganu > >__________________________________________________ >Do you Yahoo!? >Faith Hill - Exclusive Performances, Videos & More >http://faith.yahoo.com > >--__--__-- > >Message: 2 >Date: Mon, 14 Oct 2002 09:43:54 +0200 (CEST) >From: Alexandre Dulaunoy <alexat_private> >To: Ganu Skop <skopganuat_private> >Cc: loganalysisat_private >Subject: Re: [logs] Fight Back > >On Sun, 13 Oct 2002, Ganu Skop wrote: > > > Hi, > > To make it simple ; I'm pretty much looking at how to > > detect what kind of tool the intruder used , say that > > in scanning my network or crawling my homepage , the > > question is - does he use nmap or queso ? does he use > > nikto , cybercop or nessus ? > > Snort will detect say that Nmap TCP scan and -sS scan > > - but it's still limited. I really would love to know > > what tool the intruder used. > > any idea ? > > Not so easy to do. Tools can be done to act like any other tools. > > Basic "intruder" will use standard configuration for Nessus for > example. And there is some behaviour specific to Nessus. and so > on... > > In general a real intruder will not work like that. So you'll have > to dig into the capture, logs, ... to find the correct working of > the intruder. Sometimes, you have some intruder using basic worms > attack to hide their activities. > > Life is not easy. This is the beauty of Life and log analysis. > > adulau > >-- > Alexandre Dulaunoy -- http://www.foo.be/ > 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE >"People who fight may lose.People who do not fight have already lost." > Bertolt Brecht > > > > > >--__--__-- > >_______________________________________________ >LogAnalysis mailing list >LogAnalysisat_private >http://lists.shmoo.com/mailman/listinfo/loganalysis > > >End of LogAnalysis Digest _________________________________________________________________ Get a speedy connection with MSN Broadband. Join now! http://resourcecenter.msn.com/access/plans/freeactivation.asp _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 11:42:29 PDT