mailing list archives
Intrusion detection question.
From: "Daniel Swan" <swan_daniel () my-Deja com>
Date: Wed, 09 Feb 2000 14:17:53 -0800
I know this is slightly off topic, but there is a high degree of ID talent on this list, and I havn't been able get any
Question: Sometimes the source port of a scan
gives a clue as to the tool used to scan. The best example is a source port of 61000-650096 (Possible linux
masquerading box). I am wondering if there are any other rules of thumb, or even a canonical list of what we can tell
from source port.
(Mundane stuff like SMB and FTP doesn't count! I'm more interested in esoteric stuff like tools and OS's.)
Ps. FYI, I saw in one of the security NG's today that a Linux kernel patch has been released that is designed to
--== Sent via Deja.com http://www.deja.com/ ==--
Share what you know. Learn what you don't.
Re: Intrusion detection question. Michel Arboi (Feb 10)
- Intrusion detection question. Daniel Swan (Feb 09)