Re: Netcat probing, logs and detection

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: owner-ids@uow.edu.au: "Re[2]: Welcome to ids"
• Previous message: John-David Childs: "Re: Signs of an Intruder"
• Next in thread: Gene Spafford: "Re: Netcat probing, logs and detection"

Netcat by itself does not probe for vulnerabilities, despite what various
clueless media people have said about it.  Read the README.  Everything
depends entirely on the script you wrap around it.  The included "probe"
script is just an example.  If it's any help, the same idea is behind some of
the SATAN backend tools -- a generic connection handler you can push whatever
application-level data through and collect output.  The construction of said
data is handled externally.

Detection can be done just like you'd do any other kind of detection.  Looking
for sequential port scans is probably the wrong approach, and can get very
noisy.  Rather, try deliberately setting up some known passive endpoints as
traps and monitor for any traffic to those.  [Definition of an "endpoint"
left to the reader.]

Of course if you want to tailor some of said traps to what the example script
does, go for it.  Never know what kind of ankle-biters might show up...

_H*

• Next message: owner-ids@uow.edu.au: "Re[2]: Welcome to ids"
• Previous message: John-David Childs: "Re: Signs of an Intruder"
• Next in thread: Gene Spafford: "Re: Netcat probing, logs and detection"