Track down Stick DOS tool with ISS IDS
Results 1 to 4 of 4

Thread: Track down Stick DOS tool with ISS IDS

  1. #1
    Junior Member
    Join Date
    Jun 2003
    Posts
    14

    Track down Stick DOS tool with ISS IDS

    I have some bozo running the Stick DOS tool on my network @ work trying to stuff the IDS so it falls over. Luckly we are using ISS and it will not allow Stick tool DOS traffic to stuff it's DB to the point it dies...

    My problem is that the bozo is spoofing his IP address to 0.0.0.0 and I'm not good enough @ IDS/Security/Etc yet to track him down.

    Any ideas on how to track him down?

    Thanks!

    Tfunk

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Setup a TRONS signature to detect it yourself.

    /nebulus


    EDIT: I am assuming you are using the latest available versions of Site Protector/ISS sensors (which if you are, you are not vulnerable to it anyway). If you are not, you will either have to attempt to build your own using the ISS default connection stuff (very limited IMHO), or attempt to capture it using tcpdump with alot of flags on your own sensors.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Junior Member
    Join Date
    Jun 2003
    Posts
    14
    nebulus

    You are correct...ISS Network Sensor when patched is not vunerable. My actual concern is that someone is being mischevious on the network (running stick) and I would like to track them down.

    Thanks for the reccomendation for trons. I am going to dig into it and see what I can come up with. I know ISS will use trons, but I haven't messed with them yet. I'm going to dig into it and see what I can come up with.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you need a quick primer I could probably help you.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides