Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Robert Kinsey - VIS Contractor (robert.kinseysorta.kelly.af.mil)
Date: Wed May 30 2001 - 08:00:19 CDT
I have a question on part of Chad's response.
How would you validate a half scan? What I mean is a potential attacker
conducting the first part of an attack which shows up in the NIDS/HIDS but
is never completed. The attacker has gained some information about the
targeted network based on the responses (or lack) and may be using that
information for a later full attack.
Shouldn't this be considered a false positive? Or would (should) it be
added to the db for later correlation?
-- ROBERT KINSEY - Analyst Virus Analysis Team AFCERT