I have never detected a FIN scan in the wild and chose not to simulate one. In the case of a FIN scan, one would detect a large number of packets with the FIN flag set where there was no three-way handshake ever established. We have already discussed using a database to find ftp-bounce. A good intrusion analysis system should provide the capability to look for spurious traffic, such as FINs, to connections that were never established. HD Moore, the author of nlog, has been developing perl scripts to accomplish these sorts of tasks based on a 24-hour data window.
Inverse Mapping
Inverse mapping techniques can compile a list of networks or hosts that are not reachable and then use the converse of that map to determine where things probably are. These techniques are a bit harder to detect; I had to write a quick hack for the Shadow system to track RESET scans. Bill Ralph rewrote and improved the module look4scans.pl. Likewise, the following DNS example eludes all intrusion detection systems that I have worked with.
No comments:
Post a Comment