OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Identifying scanning tools from ids logs
From: William Miller (millerSJ.COUNTERPANE.COM)
Date: Fri Jun 02 2000 - 07:00:48 CDT

All,
I have been looking at queso recently and here are some of the results I
have found.
When scanning ports queso sends out the following:
6 SYN's
2 SYN |FIN
4 FIN's
2 PSH
Hopefully this is somewhat helpfull.
                                                        Toby

-----Original Message-----
From: Paul Rice [mailto:paulriceXSITE.NET]
Sent: Tuesday, May 30, 2000 5:00 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Identifying scanning tools from ids logs

Hello,

I hope that this is an appropriate forum for my question.

Is there a good resource (web page, book, faq, etc.?) that describes how to
deduce the scanning tool from common ids log files?

I have searched google, Security Focus, and PacketStorm for information
regarding this and not found anything useful.

My question was prompted by the challenge posted on Lance Spitzner's web
page (http://www.enteract.com/~lspitz/papers.html) in which he presents a
snort logfile and asks which tool created that signature. Being a relative
newcomer, I am familiar with the signatures created by nmap (v2.52), Sscan,
and hping, but not others.

Anyone have a resource for common signatures based on scanning tool? I am
looking for a resource that identifies source port, common TCP flags, or
any other unique identifying characteristics which would narrow down which
tool was used to scan my network.

Thank you,

Paul