[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IDS: How to track down a novel packet trace?

To: ids@uow.edu.au
Subject: IDS: How to track down a novel packet trace?
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
Date: Tue, 27 Feb 2001 01:27:59 -0800

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
How do those of you who are long time intrusion analysts
go about finding the source of a novel set of packets?
Novel in the sense that you haven't seen them before. When
you look at the analyses that are available on various
websites- the SANS GCIA practicals are great as is the rest
of their library, the analysis reads "found a novel trace
that looks like XYZ. Tracked the trace back to this specific
piece of software (new portscanner, or a new version of 
_something_). That is where my question comes up- do you
just spend large amounts of time wandering from hacker site
to hax0r site? I am plenty familiar with technotronic,
rootshell packetstorm and those sorts of sites, but while 
they have lots of tools, they don't generally seem to have
the most underground stuff that is generating the newest
traces.
I expect to get different responses from different people,
and will send out the sum of responses if there is an interest.
So how do you do it?

Thanks,
Toby

Toby Kohlenberg, CISSP
Intel Corporate Information Security
STAT Team
Information Security Specialist 
503-264-9783  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70

Prev by Date: IDS: Can sombody help me
Next by Date: IDS: RE: How to track down a novel packet trace?
Prev by thread: IDS: Can sombody help me
Next by thread: IDS: RE: How to track down a novel packet trace?
Index(es):
- Date
- Thread