[Dshield] Tracking and Reporting Probes

John Hardin johnh at aproposretail.com
Thu Mar 28 21:02:14 GMT 2002

On Thu, 2002-03-28 at 10:24, Clint Byrum wrote:
> On Wed, 2002-03-27 at 17:25, John Hardin wrote:
> > On Wed, 2002-03-27 at 16:49, Bill McCarty wrote:
> > 
> > No, I was actually wondering about how LaBrea responds to a stealth
> > scan. I don't suppose there's any reasonable way *to* respond to a
> > stealth scan...
> > 
> Unless I'm mistaken, the "Stealth" scan simply sends a SYN and moves
> on.. 

What I'm not sure about is whether it cares *what* the response is past
a RST.

> So LaBrea would show up as a host with all ports open.

Which is good. We're polluting his database then.

> This makes me wonder. I've seen people asking about log analyzers for
> LaBrea... is there a LaBrea logs -> DShield format program out there?
> Should there be?

In my case it'd be redundant. The tarpitted packets are already being
blocked by the firewall, which gets reported to dshield. In fact,
tarpitting is *magnifying* the apparent size of the attack since I'm now
reporting all of the subsequent 1-byte packets.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "They [media giants] have no idea how to do business with resourceful
  human beings rather than passive vegetables. So they run to [the]
  government for protection."
                    -- Doc Searls on the SSSCA, in Linux Journal
 48 days until Star Wars episode II: Attack of the Clones

More information about the list mailing list