Re: Netcat probing, logs and detection

Gene Spafford (spaf@cs.purdue.edu)
Sat, 23 Nov 1996 14:54:36 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim Walding: "Re: Audit trails"
Previous message: Jonathan M. Bresler: "Re: Signs of an Intruder"
In reply to: *Hobbit*: "Re: Netcat probing, logs and detection"

> Detection can be done just like you'd do any other kind of detection.  Looking
> for sequential port scans is probably the wrong approach, and can get very
> noisy.  Rather, try deliberately setting up some known passive endpoints as
> traps and monitor for any traffic to those.  [Definition of an "endpoint"
> left to the reader.]

This is precisely what "scan-detector" does.  See
ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z

Next message: Tim Walding: "Re: Audit trails"
Previous message: Jonathan M. Bresler: "Re: Signs of an Intruder"
In reply to: *Hobbit*: "Re: Netcat probing, logs and detection"