Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > invades the examination > Content
Hot Articles
ForensicSIM Toolkit gets
Serv-U bounce attack and
To the Image File Execut
Based on CallStack count
To a some music website
How to use double WAN ro
pcshare official net exa
Security precious book m
Honey jar and honey net
The invasion examination
pcshare official net exa
Tomcat invasion examinat
Bypasses the CallStack f
Ten big invasion examina
The network invasion exa
Recommend Articles
Only opens 80 port's saf
Bypasses the web key wor
Bypasses the CallStack f
Security precious book m
Based on CallStack count
pcshare official net exa
SQL Server SA idle talk
Honey jar and honey net
The invasion examines th
Four next generation inv
An accidental invasion e
The invasion examines (I
How to use IDS to invade
The invasion examination
A winding safe examinati
New Articles
TEA guidelines for risk
Training for medical per
JSIC Security Forum 2001
SITO includes E-Learning
The rationale for choosi
Drink and drug driving c
BTEC is Tavcom Training
International trade issu
1 in 5 companies is unli
New compact PD-350 for F
sharp rise in prices of
Passfaces strong authent
T3i teams with Passfaces
Comodo Two Factor Authen
Comfortable two-factor a
Protection skill - IDS invasion characteristic storehouse foundation example analysis(5)
  Add date: 09/25/2008   Publishing date: 09/25/2008   Hits: 2
Total 7 pages, Current page:5, Jump to page:
 


  The TCP window size is 1028

  The first project is too common, second and the third project appears jointly in the identical data packet situation are not many, therefore, combined these three projects may define a detailed characteristic. In addition other synscan attribute will obviously not enhance the characteristic the precision, can only increase the resources the consumption. To this, distinguished that the synscan software's characteristic so finished on the foundation.

  Sixth, expands the characteristic “the social relations”, the foundation recognition are more unusual communication the characteristic

  The above foundation's characteristic might satisfy to the standard synscan software's survey. But synscan possible to exist many kinds of “turns hostile”, but other tools also possibly are “changeable”, like this, the above establishment's characteristic cannot inevitably their 11 recognitions. By now needed to unify the use special characteristic and the general characteristic, can found one to be better, the more comprehensive solution. If an invasion examination characteristic already can promulgate known “the bastard”, but can also forecast “the potential criminal”, then its charm will enhance greatly.

  First looked that “turns hostile” the data message characteristic which synscan sends out:

  Has only established the SYN symbol, this is purely the normal TCP data packet “the appearance”. 

  TCP window size always 40, but is not 1028. 40 are in the initial SYN information packet a rare small window size, 1028 is much rarer than the normal value.

  “the self-examination” the port value is 53, but is not 21. The old edition's BIND use “the self-examination” the port uses in operating specially, new edition BIND no longer uses it, therefore, saw frequently this information will let the eye which we will open the eyes to suspect greatly.

  The above 3 kind of data and standard synscan produce the data has is similar, therefore may infer produces its tool or is the synscan different versions initially, or is other based on the synscan code tool. Obviously, front defines the characteristic already could not “turn hostile” this distinguishes, because 3 characteristic numerators already changed beyond all recognition. By now, we might adopt three methods:

  Founds one to match these contents alone again the special characteristic.

  Adjusts our spotting, only pays attention to the ordinary deviant behaviour, but is not the special deviant behaviour, foundation recognition ordinary deviant behaviour general characteristic.

  1 and 2 found, also casts a net comprehensively, also fishes with emphasis, the real criminal must grasp, the suspicious member do not run.

  The general characteristic may found as follows:

  Has not established the confirmation symbol, but confirmation value actually non-0 TCP data packet.

 
Other pages: : <<Prev * 1 * 2 * 3 * 4 * 5 * 6 * 7 * Next>>
Prev:The invasion examination system principle, practices and selects and purchases Next:To Win2000 server invasion omen examination

Comment:

Category: Home > invades the examination
Home