Passive Host Auditing

Presented at DEF CON 13 (2005), July 29, 2005, 4 p.m. (20 minutes)

Traditionally, IDS systems such as snort have been used to monitor attacks against or within a network. This talk will give the outline for turning those tools around and instead using them to audit networks. We will discuss how to identify OSís, tell who is patching, what services are being deployed (perhaps insecurely), and other methods for policy enforcement. This discussion is ideally suited for administrators and security professionals in open and/or decentralized environments, especially those charged with auditing the network. While several signatures and sample scripts will be discussed during this talk, this is a relatively new area of auditing and network security so questions, comments and volunteers will all be welcome.


  • jives
    Jives has been doing computer security at a major research university for over 5 years. After initially specializing in host security he has moved into network security. In this area he has written several evidence gathering scripts. Recently he has made a hobby out of using the network to answer questions about the host.


Similar Presentations: