[Snort-users] network penetrations

Geoff the UNIX guy galitz at ...247...
Thu Jan 11 18:28:51 EST 2001

I have snort reporting to a database which runs 
periodic reports (via perl, currently) which 
triggers a nessus scan, a dds scan, and an
nmap -sV scan (a wonderful hack which attempts
to verify the protocol running on a certain port).
The nmap -sV scan is terrific for quickly finding 
backdoor ssh daemons running on ports other than 
port 22.

In other words: snort -> nessus -> dds -> nmap
which tells me if a known attack daemon or backdoor
has been added after the scan via an exploit.

For more info on how I've done it, feel free to check:

It is othing special really, it all amounts to a homebrewed 
application glued together with C and perl.


On Thu, 11 Jan 2001, Mark Scott wrote:

> Hi,
> Can anyone point me to resources that can help me understand how to tell if
> there was a network penetration after a port scan? I use snort and many
> times a day I detect some sort of port scan. What do you guys do to tell if
> there has been a penetration?
> Thanks,
> Mark

Geoff Galitz, galitz at ...247...
Research Computing
College of Chemistry, UC Berkeley
     The laws of physics can be a harsh mistress...
        - Bender

More information about the Snort-users mailing list