> 1) Does anyone have any experience using Hobbit's Netcat program > to probe system vulnerabilities? Yes, and it works great. I'm doing a lot of penetration studies and I use netcat for most part of it. You can have full control on whatever TCP stream or UDP datagrams you send to whatever port, with whatever input.. > > 2) Does anyone have a log of such probing that they would care to post > or share? What do you want to see??? There is no such thing as clear recognition of the use of netcat in logs or dumps. The way you use netcat is fully up to your own creativity.... > > 3) Is there an intrusion detection system that will explicitly > identify Netcat probes, the same way as Courtney idenfifies Satan? No... Satan, ISS and such other tools have standard preprogrammed way of scanning networks and systems, which you can use in you detection system. In case of netcat you should be aware of "strange" logs concerning connections to ports. May that can be automated, but I think it's just not possible to have netcat probes explicitly identified. (also, instead of using netcat, one can use many other techniques and tools...) > > Hog Farmer, > Tropical Hog Improvement Programme Arjan Vos KPMG EDP Auditors >