[7] in Intrusion Detection Systems
Re: port scanners/ICMP port unreachable
daemon@ATHENA.MIT.EDU (John Studarus)
Thu Mar 30 14:22:34 1995
From: studarus@zippy.psc.edu (John Studarus)
To: ids@uow.edu.au
Date: Thu, 30 Mar 1995 11:04:48 -0500 (EST)
In-Reply-To: <Pine.SUN.3.91.950328210720.10007A@access.mbnet.mb.ca> from "Oliver Friedrichs" at Mar 28, 95 09:08:51 pm
Reply-To: ids@uow.edu.au
>
> On Tue, 28 Mar 1995, Dan Pollack wrote:
>
> > You might want to give icmpinfo a try. It is a neat little program
> > that gives very good info on icmp traffic. You should be able to get
> > the latest version at hplyot.obspm.fr:/net/icmpinfo-*.tar.gz. You
> > might also look at http://www.obspm.fr/~dl/ which is the authors home
> > page and has a hypertext version of the man page.
>
> Hi Dan,
> icmpinfo only catches incoming icmp messages - in this case we're
> looking for outgoing port unreachable messages - to detect someone trying
> to connect to an invalid port.
>
> - Oliver
>
It turns out that I also want to listen for TCP resets. If I
see a bunch of TCP resets between two hosts and the sockets a sequential
then I set off alarms. This works great for strobe.
Does SATAN/SANTA do the same type of port scanning as strobe -
i.e. blast through all TCP ports on a remote host? Someone willing
to test this with me? (i.e. someone with SATAN)
I can't go around putting wrappers and kernel mods on all computers
here since, 1. I don't have access to the computers - only the networks,
2. we have a lot of computers and 3. by aggregating all the data collection
on the network on one sniffing machine I can finer tuning the type of alarm
I set off (one host being scanner, one subnet, the entire net, all of PA etc etc). =)
I took a look at icmpinfo but as Oliver says, it doesn't quite
do what I need. If my program can detect SANTA I'll put it out on the
net for people.
-John
P.S. Is it just me or is everyone getting 4 copies of all messages to this list?
--
John Studarus
studarus@{CMU,PSC}.EDU
Carnegie Mellon University - M.S. Student, Information Networking Institute
Pittsburgh Supercomputing Center - Network Engineer
PGP key available at: http://pgp.ai.mit.edu/~bal/pks-toplev.html
