It depends on your needs. I have a home LAN, and my largest threat is
script kiddies. So I'm using the psionic suite (portsentry et al). It
allows you to see probes, set rules for what to consider an attack, and
write custom scripts for immediate and remedial action. This is good for
networked of off site logging, and coordination with a dedicated IDS box.
For larger sites, you may want to check out some of the bigger deals.
They can detect by attack pattern (like virus software), by anomoly
detection (teach it what's normal and look for strays from the norm) or a
combination of both.
tack
On Fri, 1 Jun 2001, heretic wrote:
> what do you use for an IDS? is it network or host-based (both?) What is
> the simplest way to detect and report on port scans?
>
> I want to take a more proactive stance on security, but I also don't want
> to get too wrapped up in it. What's the simplest yet effective toolkit?
> I don't need pretty front ends, I'd prefer automated scripts...
>
> d$hahin
>
> On Thu, 31 May 2001, Daniel Trudell wrote:
>
> > I don't think it's so scary. I get scanned several times a day from
> > different IP's. The key here is that we can tune our IDS's to look for
> > gnutella. Remember that duping people takes people skills, but using
> > script kiddie tools takes none.
> >
> > What's scary is securityfocus's analysis of the protocol. Those
> > theoretical exploits combined with distributed scanning and footprinting
> > gets scary
> >
> > tack
> >
> > On Thu, 31 May 2001, Sach Jobb wrote:
> >
> > > Tack, that is outright scary.
> > >
> > > On Thu, 31 May 2001, Erik Curiel wrote:
> > >
> > > >
> > > > Well, shit, even if no one else is doing it yet, it sounds like a pretty
> > > > good idea to me! I say we do it.
> > > >
> > > > E
> > > >
> > > > On Thu, 31 May 2001, Daniel Trudell wrote:
> > > >
> > > > > ok, so maybe this could be called "entry n in the diary of a
> > > > > /var/log/messages junkie"
> > > > >
> > > > > Gnutella's port is 6346. As a brief refresher....gnutella is like napster
> > > > > with no central server. every peer is also a search server.
> > > > >
> > > > > So anyway....it's fairly disributed, and you can make your own client,
> > > > > seeing as how the protocol is open source. Well, a common way to beat
> > > > > intrusion detection is to do each probe from a seperate IP. I've started
> > > > > to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
> > > > > logs with a source port of 6346 (gnutty) and high level dest ports
> > > > > corresponding to various proxy servers.
> > > > >
> > > > > So with enough paranoia, tequila and inference it becomes possible that
> > > > > people are using gnutella to distribute the sources of sweeps and scans,
> > > > > thereby beating IDS's. It is also possible that a gnutty client out there
> > > > > has a very agressive discovery phase implementation.
> > > > >
> > > > > Anybody noticed anything similar? It seems much more efficiant than
> > > > > cracking boxen to launder identity...dupe people into running your scanner
> > > > > in the background by giving them trojaned gnutella clients...or at least
> > > > > superimposing your probe on top of a gnutella request.
> > > > >
> > > > > tack
> > > > >
> > > > > -------------------------------------------------------
> > > > > "My Penguin style Kung-Fu will beat your Redmond style"
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
--
"My Penguin style Kung-Fu will beat your Redmond style"
