On 10/4/06, Holger Bauer <[EMAIL PROTECTED]> wrote:
No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-)
To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill