On Tue, 1 Jul 2003, Aviram Jenik wrote:
> "Idle scan" will actually work quite nicely here (I'm sure one of the servers
> written above has its idle moments), but that's not the way I would approach
> it as an attacker.
> Your IDS will not block a simple connect scan (AFAIR snort does not save
> packets and does not know that this is the 10,000th port in a row you are
> trying to reach)
Hi Aviram,
FYI the portscan2 preprocessor on snort 2.0 tracks connection states.
>and even if it would, it is usually possible to evade it by
> scanning slowly enough.
This is true.
>
>
--
- Josh
94 F8 9F 3E 9A DB 6E FC F8 17 F1 B4 C7 51 CB AA ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- [EMAIL PROTECTED] - tel: +972.58.520.636, http://www.tkos.co.il
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
