[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IDS: reading signatures?

To: matthew.fearnow@mcp.com
Subject: RE: IDS: reading signatures?
From: Kim Robert Blix <kim@nhi.no>
Date: Mon, 25 Oct 1999 10:35:19 +0200 (CEST)
cc: tschroed@acm.org, ids@uow.edu.au
In-Reply-To: <5753A9B81DE9D211AAC6006008176ED9466DF9@CARMMS102>
Sender: owner-ids@uow.edu.au

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
---

> the end of it.  And it was fast, so it is obviously a script.  Here is a
> better example:
> 
> 14:18:36.148999 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
> 14:18:36.188602 x.x.x.x.9999 > x.x.x.0.53: 1205+ (45)
> 14:18:36.756601 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)
> 14:18:36.803255 x.x.x.x.9999 > x.x.x.255.53: 1205+ (45)

[snip]

2 things come to mind:

  covert data sent to a compromized service. not likly since there are no
response packets comming from your side.
 
  dns scanning, which seems more likly given that broadcast adresses are
used. 

if I where you I would get some more information though. I assue the
x.x.x.244.53 packets are udp, but are they all? Its fairly easy to
recognize a scan if you log tcp packets, flags and such give tell-tale
signs (not to mention the fact that tcp.id is 31337 :-P). Sniff the
packets to see what they contain.  

in short, you need to do some more digging.

k

References:
- RE: IDS: reading signatures?
  - From: matthew.fearnow@mcp.com

Prev by Date: Re: IDS: reading signatures?
Next by Date: IDS: RE: dumping traffic on IPX
Prev by thread: RE: IDS: reading signatures?
Next by thread: RE: IDS: reading signatures?
Index(es):
- Date
- Thread