[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] An idea for nmapg
From: Walker JWalker <j_walker2 () hotmail ! com>
Date: 2008-04-26 13:02:34
Message-ID: BLU142-W88ECD4060D702867CEB4ACEDC0 () phx ! gbl
[Download RAW message or body]
From what I can tell OSSEC/nmapg works by detecting differences in open/closed ports \
based on IP addresses. But IPs change and you can't be sure if a new open port is \
due to a new port actually listening, or the IP changed due to DHCP.
Would it be possible to take into consideration the MAC address which doesn't change? \
Nmap doesn't include the MAC address of the target in it's results for -oG that OSSEC \
uses, but it does for other log output formats.
Since routers replace the MAC address, the port scanner would have to be on the same \
network, but that might not be too big of a problem since I would think it should \
greatly reduce the number of false positives.
_________________________________________________________________
In a rush? Get real-time answers with Windows Live Messenger.
http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_realtime_042008
[Attachment #3 (text/html)]
<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
From what I can tell OSSEC/nmapg works by detecting differences in open/closed ports \
based on IP addresses. But IPs change and you can't be sure if a new open port \
is due to a new port actually listening, or the IP changed due to DHCP.<br><br>Would \
it be possible to take into consideration the MAC address which doesn't change? \
Nmap doesn't include the MAC address of the target in it's results for -oG that OSSEC \
uses, but it does for other log output formats.<br><br>Since routers replace the MAC \
address, the port scanner would have to be on the same network, but that might not be \
too big of a problem since I would think it should greatly reduce the number of false \
positives.<br><br /><hr />In a rush? <a \
href='http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_realtime_042008' \
target='_new'>Get real-time answers with Windows Live Messenger.</a></body> </html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic