|
Intrusion Detection Systems
mailing list archives
Determining when something is NOT random
From: Lance Spitzner <lance () spitzner net>
Date: Sun, 23 Jul 2000 23:12:55 -0500 (CDT)
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Are there any tools/techniques to determining when something
is NOT random.
For example, I have a system that was hit with ICMP_ECHO
packets from 47 systems within two hours. Based on the
packets, I can determine that the same tool was used
to generate them. What I want to determine is if the 47
source systems were randomly generated by the tool (as
often done by Syn Flooding tools) or if the 47 systems
involved were not randomly generated. If the 47 Src systems
were NOT randomly gerenerated, this may indicate that all 47
systems are actuall systems used in the 'attack'.
Any tool that can take a list of IP addresses and determine
if they are random or not?
Thanks!
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
 By Date 
By Thread
Current thread:
- Determining when something is NOT random Lance Spitzner (Jul 24)
|
Intro
