Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] TCP sweeps

from [Frank Knobbe] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] TCP sweeps
Date: Mon, 13 Dec 2004 09:46:18 -0600 
On Mon, 2004-12-13 at 09:04, Hazel, Scott A. wrote:

We have dealt with similar issues here using Dragon.  I know the platform is
different but we applied the same approach. I called them spike alerts and
started closer to 500 in 60 seconds. 


An alternative approach would be to use a dark-net, or a dark-segment as
I like to call it. Take an unused IP range and monitor that with an IDS.
If the IDS isn't sitting on a gateway link to that net, use LaBrea to
attract packets for those IP's to the IDS. Then use the rules Michael
Boman re-posted recently to detect access to unused IP address space:

var UNUSED [x.x.x.x,y.y.y.y]  # List your unused IP's here
alert tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
alert udp any any -> $UNUSED any (msg:"UDP Port Scan";)
alert icmp any any -> $UNUSED any (msg:"ICMP Scan";)

The advantage of this approach is that you can trigger on the first
packet (make sure you exclude broadcast/multicast packets as well as
DHCP/bootp discovery/response packets and stuff like that). Especially
if you react with systems like Snortsam, being able to do that on the
first packet is important.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-sigs] TCP sweeps, Hazel, Scott A.
Next by Date:  Re: [Snort-sigs] we need support, James Riden
Previous by Thread:  Re: [Snort-sigs] TCP sweeps, Matt Jonkman
Next by Thread:  RE: [Snort-sigs] TCP sweeps, Hazel, Scott A.
Indexes:  [Date] [Thread] [Top] [All Lists]