[770] in Intrusion Detection Systems
Re: Netcat probing, logs and detection
daemon@ATHENA.MIT.EDU (Gene Spafford)
Mon Nov 25 18:00:33 1996
To: ids@uow.edu.au
In-Reply-To: Message from *Hobbit* <hobbit@avian.org> of
"Wed, 20 Nov 1996 12:35:11 -0500"
<199611201735.MAA09249@narq.avian.org>
Date: Sat, 23 Nov 1996 14:54:36 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
Reply-To: ids@uow.edu.au
> Detection can be done just like you'd do any other kind of detection. Looking
> for sequential port scans is probably the wrong approach, and can get very
> noisy. Rather, try deliberately setting up some known passive endpoints as
> traps and monitor for any traffic to those. [Definition of an "endpoint"
> left to the reader.]
This is precisely what "scan-detector" does. See
ftp://coast.cs.purdue.edu/pub/COAST/tools/scan-detector.tar.Z
