|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Cracked; rootkit - entrapment question?
From: Chuck Phillips (cdp
PEAKPEAK.COM)Date: Fri Mar 03 2000 - 09:33:31 CST
- Next message: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Previous message: David Brumley: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
1Lt Rob Lee writes:
> 1. Consensual Monitor: This is a monitor that is limited to only being
> able to monitor on ports that are bannered. If your SUBJECT has not seen a
> banner you cannot monitor from that port or IP. You can only monitor on
> ports that do have banners for ANY IP incoming into that machine. You can
> only monitor the SUBJECTs IP on ANY port ONLY if you can show that the
> SUBJECT has seen the banner at least once.
For stuff like telnet, FTP and even SMTP, "appropriate use" banners are
just good practice for any machine, even on a internal protected network.
However, there are other protocols with no provisions for banners, e.g.,
NFS. What can be done for these services?
ALSO, if a script kiddie uses, of all things, a *script* and never sees the
banner, would this make monitoring illegal?
ALSO, if you're a privately hired security professional (as opposed to a
criminal law enforcement professional), does this restriction still apply?
Chuck
- Next message: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Previous message: David Brumley: "Re: Cracked; rootkit - entrapment question?"
- Next in thread: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Maybe reply: Chuck Phillips: "Re: Cracked; rootkit - entrapment question?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]