Re: IDS: scan detect

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Technical Incursion Countermeasures: "IDS: CFP: The Insider Volume 3 Issue 2"
• Previous message: Mark Curphey: "Re[2]: IDS: Network Intrusion Detection"
• In reply to: Robert Zachary: "IDS: scan detect"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

~     If anyone needs the info, I have portscan detect set up to detect
~ incoming scans on ports 54(low scan), 31337(BO), and 12345(NetBus), if a
~ scan comes thru for any of these, the system catches them and emails to
~ alert. This is also displayed real-time on a v-console for active
~ viewing/testing. Not difficult to do, but it is handy.
~ 

Well, I've been playing with the similar things a while ago, when 31337
UDP scans were quite active. I also implemented `ping-pong' feature which
caused some sort of amusing results for our bo-kiddies. I would like to
have a look on your codes, if you don't mind. (while mine are at
http://www.kalug.lug.net/coding look at udplstn piece and
http://www.kalug.lug.net/tcplogd/ for general TCP-scans logger, if
you're interested).


regards
 ~Fyodor

--
fygrave@tigerteam.net		http://www.kalug.lug.net

• Next message: Technical Incursion Countermeasures: "IDS: CFP: The Insider Volume 3 Issue 2"
• Previous message: Mark Curphey: "Re[2]: IDS: Network Intrusion Detection"
• In reply to: Robert Zachary: "IDS: scan detect"