[764] in Intrusion Detection Systems
Re: Netcat probing, logs and detection
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Sat Nov 23 15:06:27 1996
From: Mark_W_Loveless@smtp.bnr.com
Date: Thu, 21 Nov 96 11:48:33 CST
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
1 - Netcat has as one of its features the ability to do port scanning.
But it is a command line utility with dozens of features.
2 - The logs would not provide much. There ARE several scripts that
come with the lastest version to automate probing and are mainly
intended as an example, and I suppose some lame idiot might run those,
but a serious undetected probe using Netcat would require some
adjustments.
3 - Any ids that looks for odd repeated port connections might detect
it, although Netcat does allow you to randomly scan a range of ports
which would defeat some of those. Since it is completely adjustable,
you can get around any ids that 1) looks for sequential port scans 2)
does not look for UDP scanning which Netcat does and 3) any detection
based off of times between connections since you can adjust the time
between each connection probe.
BTW I mainly use Internet Security Scanner for testing. Netcat is nice
for some quick stuff but I mainly use Netcat for some of its other
features. I find the UDP stuff very useful.
Mark.Loveless@bnsf.com
[Quoted Message Deleted]
