maxxSECURITE.ORG

• Next message: Randy Mclean: "Re: SMB / NetBIOS Connections"
• Previous message: Jonathan Stade: "Re: SMB scans"
• In reply to: Kirklin Spencer: "Assistance and advice request"
• Next in thread: Bill Pennington: "Re: Assistance and advice request"
• Reply: Michel Kaempf: "Re: Assistance and advice request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 27, 2000, Kirklin Spencer wrote:
> Situation two. Slow Scan.
> to suspect that it is a probe. Again, what tools might I use and how should
> I be using them (and who should I be telling)?

I can tell you how I handle slow scans with snort, perhaps it will give
you some ideas, perhaps we can find a better way to handle them.

I use snort to monitor a huge network, both the subnet hosts and the
internet hosts are monitored. As I use the excellent snort rules from

        http://www.snort.org/

I realized that a tool was needed to sort the snort alert files. And I
don't use the portscan preprocessor, because I find setting arbitrary
values of timing and repetition in order to detect portscans is not
reliable, it cannot detect slow scans, and it triggers a lot of false
positives.

I wrote a little program, 5n0r7, which sorts the snort alert files, and
allows one to easily find out attacks by looking at 5n0r7's output. If
you run 5n0r7 on an alert file that is beeing filled by snort for a long
time, you will see the slow scans. You can downloadf it from

        ftp://snort.via.ecp.fr/5n0r7/5n0r7.c

I will write a second version as soon as possible because I need a bunch
of new features. I hope you can find it useful.

Best regards,

--
MaXX

• Next message: Randy Mclean: "Re: SMB / NetBIOS Connections"
• Previous message: Jonathan Stade: "Re: SMB scans"
• In reply to: Kirklin Spencer: "Assistance and advice request"
• Next in thread: Bill Pennington: "Re: Assistance and advice request"
• Reply: Michel Kaempf: "Re: Assistance and advice request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]