[8722] in bugtraq
Detecting the "undetectable".
daemon@ATHENA.MIT.EDU (Patrick Gilbert)
Fri Dec 18 11:43:30 1998
Date: Wed, 16 Dec 1998 18:21:58 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Patrick Gilbert <gilbert@PGCI.CA>
To: BUGTRAQ@NETSPACE.ORG
Like many system administrators, paranoia comes as a sixth sense. They
don't
like their networks prodded or probed by outsiders; this would be like
bursting in
their office while they are taking their coffee and groping them.
So, after having my fun with nmap-2.00, I decided to conjure something
that
will monitor for this type of network reconnaissance.
The monitor works with tcpdump, and perl provides flexibilty. Feel free
to improve on it, and mail me a copy. You must provide the network to
monitor
and ports to exclude and you can also add filters for larger networks.
Here are a few suspicious packets it looks out for, with added features
you can
read about and grab the source at http://www.pgci.ca/syn.html
icmp packets (you can add filters), udp packets (same) , TCP packets
with no ACK , Fragmented IP packets, IP packets with options, Packets
with X.X.X.255 destination, Packets with X.X.X.0 destination.
Cheers,
--
Patrick Gilbert
PGCI
Inc.
http://www.pgci.ca
Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A