|
Security Incidents
mailing list archives
Re: Cracked; rootkit - entrapment question?
From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Fri, 3 Mar 2000 08:33:31 -0700
1Lt Rob Lee writes:
1. Consensual Monitor: This is a monitor that is limited to only being
able to monitor on ports that are bannered. If your SUBJECT has not seen a
banner you cannot monitor from that port or IP. You can only monitor on
ports that do have banners for ANY IP incoming into that machine. You can
only monitor the SUBJECTs IP on ANY port ONLY if you can show that the
SUBJECT has seen the banner at least once.
For stuff like telnet, FTP and even SMTP, "appropriate use" banners are
just good practice for any machine, even on a internal protected network.
However, there are other protocols with no provisions for banners, e.g.,
NFS. What can be done for these services?
ALSO, if a script kiddie uses, of all things, a *script* and never sees the
banner, would this make monitoring illegal?
ALSO, if you're a privately hired security professional (as opposed to a
criminal law enforcement professional), does this restriction still apply?
Chuck
 By Date 
By Thread
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
|
Intro
