[Intrusions] [LOGS] Summary of large-scale portscanning detects
Barry Fitzgerald
bkfsec at sdf.lonestar.org
Thu Sep 16 14:05:26 GMT 2004
Jason "JC" Monroe wrote:
>
>
>Since you are so kind as to send these reports every day would you
>consider taking another step and potentially identify the remote
>operating system making use of passive analysis (p0f, etc...) and
>providing that info in another column of your report?
>
>
>
I can think of a number of reasons why he wouldn't want to do this.
First, since these are firewall logs that would be a counter-scan.
Second, if the attacker were looking for a response, it could be
detected by the attacker and might bring interest to the network.
Third, if the system sending the p0f scan were the firewall itself, it
could expose information about the firewall.
And, lastly, considering these are generic log detections, what would
having the host OS of the scanner provide you? I agree that the data
would be interesting, but if someone - for instance - compiles the DCom
exploits on cygwin on a winXP machine and someone else does so on a
GNU/Linux machine, I fail to see how having a list of 60,000 disparate
OSes that tried to contact port 139 on seperate systems is useful.
Sure, for the individual attack case, knowing something about the
attacker is useful... but parsing this particular list is questionable
at best.
-Barry
More information about the Intrusions
mailing list