[Snort-users] network penetrations

Geoff the UNIX guy galitz at ...247...
Thu Jan 11 18:28:51 EST 2001



I have snort reporting to a database which runs 
periodic reports (via perl, currently) which 
triggers a nessus scan, a dds scan, and an
nmap -sV scan (a wonderful hack which attempts
to verify the protocol running on a certain port).
The nmap -sV scan is terrific for quickly finding 
backdoor ssh daemons running on ports other than 
port 22.

In other words: snort -> nessus -> dds -> nmap
which tells me if a known attack daemon or backdoor
has been added after the scan via an exploit.

For more info on how I've done it, feel free to check:
http://www.cchem.berkeley.edu/College/unix/proj.html

It is othing special really, it all amounts to a homebrewed 
application glued together with C and perl.

-geoff


On Thu, 11 Jan 2001, Mark Scott wrote:

> Hi,
> 
> Can anyone point me to resources that can help me understand how to tell if
> there was a network penetration after a port scan? I use snort and many
> times a day I detect some sort of port scan. What do you guys do to tell if
> there has been a penetration?
> 
> Thanks,
> 
> Mark
> 

---------------------------------------------------
Geoff Galitz, galitz at ...247...
Research Computing
College of Chemistry, UC Berkeley
---------------------------------------------------
     The laws of physics can be a harsh mistress...
        - Bender






More information about the Snort-users mailing list