what do you use for an IDS? is it network or host-based (both?) What is
the simplest way to detect and report on port scans?
I want to take a more proactive stance on security, but I also don't want
to get too wrapped up in it. What's the simplest yet effective toolkit?
I don't need pretty front ends, I'd prefer automated scripts...
d$hahin
On Thu, 31 May 2001, Daniel Trudell wrote:
> I don't think it's so scary. I get scanned several times a day from
> different IP's. The key here is that we can tune our IDS's to look for
> gnutella. Remember that duping people takes people skills, but using
> script kiddie tools takes none.
>
> What's scary is securityfocus's analysis of the protocol. Those
> theoretical exploits combined with distributed scanning and footprinting
> gets scary
>
> tack
>
> On Thu, 31 May 2001, Sach Jobb wrote:
>
> > Tack, that is outright scary.
> >
> > On Thu, 31 May 2001, Erik Curiel wrote:
> >
> > >
> > > Well, shit, even if no one else is doing it yet, it sounds like a pretty
> > > good idea to me! I say we do it.
> > >
> > > E
> > >
> > > On Thu, 31 May 2001, Daniel Trudell wrote:
> > >
> > > > ok, so maybe this could be called "entry n in the diary of a
> > > > /var/log/messages junkie"
> > > >
> > > > Gnutella's port is 6346. As a brief refresher....gnutella is like napster
> > > > with no central server. every peer is also a search server.
> > > >
> > > > So anyway....it's fairly disributed, and you can make your own client,
> > > > seeing as how the protocol is open source. Well, a common way to beat
> > > > intrusion detection is to do each probe from a seperate IP. I've started
> > > > to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
> > > > logs with a source port of 6346 (gnutty) and high level dest ports
> > > > corresponding to various proxy servers.
> > > >
> > > > So with enough paranoia, tequila and inference it becomes possible that
> > > > people are using gnutella to distribute the sources of sweeps and scans,
> > > > thereby beating IDS's. It is also possible that a gnutty client out there
> > > > has a very agressive discovery phase implementation.
> > > >
> > > > Anybody noticed anything similar? It seems much more efficiant than
> > > > cracking boxen to launder identity...dupe people into running your scanner
> > > > in the background by giving them trojaned gnutella clients...or at least
> > > > superimposing your probe on top of a gnutella request.
> > > >
> > > > tack
> > > >
> > > > -------------------------------------------------------
> > > > "My Penguin style Kung-Fu will beat your Redmond style"
> > > >
> > > >
> > >
> > >
> >
> >
>
>
