From: krantikari26@30gigs.com
Date: Thu Mar 02 2006 - 03:36:59 EST
see if u try to analyse the packets using ethereal ,
that the tcp conversations is deffierent in both te cases so for the case
a. betwenn namp and webserver
syn-synack-rst-syn-synack-getrequest
b.between browser and webserver
syn-synack-ack-getrequest
so depanding up the pattern of packets from particular host we can design a snort rule to detect the legtimate user and the hacker request
few points can help to desighn a rule
1. the namp will send on "GET / HTTP 1.1 /r/n"
in the request so it can be detected , whereas the normal browser will send other values too like user-agent ,accept-language etc,sothis can help us to design the rule
2. the sequence number can also help and it will be different in both the type of conversations,
3.to normal conversation websever will send the code=200 ok
where as in nmap converstion it will send
code=404 object not found
Please comment
kkdear
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT