[Snort-users] [PEN-TEST] Clarification on illegal use of ISS Internet Scanner(fwd)

Bill Pennington billp at ...60...
Tue Aug 15 12:17:39 EDT 2000


Well I know that there is already a snort detect for the ISS ping. The
ping packet contains the serial number of the ISS Scanner in the packet.
I think I have one laying around if you want it.

Fyodor wrote:
> 
> A bit offtopic but just curiousity if anyone has any details on format of
> ISS scanner fingerprints. Had I licenced ISS scanner, I'd probably be able
> to dump that.. uhmm.. :)
> 
> ---------- Forwarded message ----------
> Date: Tue, 15 Aug 2000 10:04:45 -0400
> From: "Curphey, Mark (ISS Atlanta)" <MCurphey at ...325...>
> Reply-To: Penetration Testers <PEN-TEST at ...220...>
> To: PEN-TEST at ...220...
> Subject: [PEN-TEST] Clarification on illegal use of ISS Internet Scanner
> 
> To clarify a recent thread ......
> 
> If you look within one of the Network Sensor policies underneath the Scanner
> events, there is an event called "ISS" that detects if an Internet Scanner
> scan is taking place. If your Network Sensor detects this activity
> (depending on how your responses are set), it will display the event on your
> Console. This event will also show the OCN number of the license key for the
> owner of the Internet Scanner software.
> 
> No traffic is sent back to ISS regarding this. A RealSecure user can contact
> ISS who can then deal with the matter, via an internal policy i.e ISS will
> not just tell you the owner of that software lisense.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list