[755] in Intrusion Detection Systems
Re: Netcat probing, logs and detection
daemon@ATHENA.MIT.EDU (Paul Danckaert)
Sat Nov 23 15:01:29 1996
Date: Wed, 20 Nov 1996 12:36:15 -0500 (EST)
From: Paul Danckaert <pauld@umbc.edu>
To: ids@uow.edu.au
In-Reply-To: <9610188483.AA848336980@mail-out.un.org>
Reply-To: ids@uow.edu.au
On Mon, 18 Nov 1996 adamsb@un.org wrote:
> 1) Does anyone have any experience using Hobbit's Netcat program
> to probe system vulnerabilities?
Netcat is simply a program that allows you to make net connections easily.
It will listen for connections, or open them for you. There are scripts
provided that will do scans or things like that, but they are not a
unified set of hacking utilities.
> 2) Does anyone have a log of such probing that they would care to post
> or share?
Anything that would turn up a basic tcp/udp scan would turn up netcat.
Tcp wrappers, ip filters, or anything else like that.
> 3) Is there an intrusion detection system that will explicitly
> identify Netcat probes, the same way as Courtney idenfifies Satan?
Since there isn't really a "netcat probe", it would be hard to identify.
There are scripts made to attack certain services around which you could
look for, but thats about all. There are things like "probe", which scans
services and should really be picked up by normal monitors.. nothing
special there.
paul
