[Intrusions] [LOGS] Summary of large-scale portscanning detects
Kyle Maxwell
krmaxwell at gmail.com
Fri Sep 17 13:22:14 GMT 2004
On Thu, 16 Sep 2004 10:05:26 -0400, Barry Fitzgerald
<bkfsec at sdf.lonestar.org> wrote:
> First, since these are firewall logs that would be a counter-scan.
> Second, if the attacker were looking for a response, it could be
> detected by the attacker and might bring interest to the network.
> Third, if the system sending the p0f scan were the firewall itself, it
> could expose information about the firewall.
p0f is a passive tool (as the poster specified) and does not scan any
hosts, it uses the characteristics of each operating systems to look
for "fingerprints" in the packets to see if the scan packets
themselves identify their source OS. See
http://lcamtuf.coredump.cx/p0f.shtml for more information.
That said, it's a bit of work to script that together and I'm not sure
how relevant that data would be for the purpose that Ken is posting
his logs. Folks interested in OS or other data could always do so on
their own networks. The data can be interesting (though not
necessarily interesting to report to others) to give you an idea of
what's going on in your own network.
--
Kyle Maxwell
[krmaxwell at gmail.com]
More information about the Intrusions
mailing list