[765] in Intrusion Detection Systems
Re: Netcat probing, logs and detection
daemon@ATHENA.MIT.EDU (Peter C. Norton)
Sat Nov 23 15:09:06 1996
Date: Wed, 20 Nov 1996 12:30:11 -0500 (EST)
From: "Peter C. Norton" <spacey@nosleep.net>
To: ids@uow.edu.au
In-Reply-To: <9610188483.AA848336980@mail-out.un.org>
Reply-To: ids@uow.edu.au
On Mon, 18 Nov 1996 adamsb@un.org wrote:
> Date: Mon, 18 Nov 96 08:32:12 EST
> From: adamsb@un.org
> To: ids@uow.edu.au
> Subject: Netcat probing, logs and detection
> 1) Does anyone have any experience using Hobbit's Netcat program
> to probe system vulnerabilities?
Experience, no. But I've read the documentation, and he (Hobbit) provides
some shell scripts and some offhand notes in his README file that should get
anyone really interested in this sort of thing going in no time flat.
> 2) Does anyone have a log of such probing that they would care to post
> or share?
Netcat isn't primarily a probing utility. It is a *very* convenient backend
for someone who wants to try to make such a probe for themselves. If you
have tcp_wrappers properly set up, and try a couple of probes with a service
that you know is being protected by the wrapper, then you should be able to
see what an attack looks like. However, using netcat and any combination of
perl, sh, awk, sed, c, and/or any other programming language, someone could
create a custom attack. On the plus side, if you suspect that someone is
trying to attack you, you can easily use netcat to record exactly what's
going on by having inetd start "nc < filename > /var/log/nc.log.portnum"
where filename is file containing the standard initial connection for that
service.
> 3) Is there an intrusion detection system that will explicitly
> identify Netcat probes, the same way as Courtney idenfifies Satan?
When I walk down the street, I know that everyone might look at me (or at
least in my direction). I'm sure some small portion of the people I see in
a day see me, too. I can't tell you how many are thinking of mugging me by
the fact that they're looking at me (BTW, I live in New York City. Other
analogies might work better in other parts of the world). Netcat is
similar. It allows connections to be created, it allows for data to go over
the connection. Until some action is taken over the network, there's no way
to distinguish a connection with netcat from a connection being made by a
news reader, a pop client, an nfs client, or anything else.
For most people, mounting an attack or a probe against you will consist of
duplicating a known attack, so you can try to look for details in your logs
that match materiel published by the various CERTS, on BugTraq, etc.
However: One little giveaway that someone might be connecting to your system
with netcat by hand (as opposed to using a script) would be typos.
--
Faster isn't better. Better is better.
spacey@sensenet.com
System Administrator at large.
No one else has anything to do with what I say.
I disclaim thee! I disclaim thee! I disclaim thee!
