On Sun, Jul 20, 2003 at 10:56:30AM +0200, Francesco wrote: > Now, i am asking this question: Portsentry seems a good network IDS, since a > possible attacker, by starting his initial system scan, is just blocked out! > > What do you think about??
Well, it's pretty nice as a simple host-based IDS, but some drawbacks
come to mind:
o It doesn't monitor traffic on ports you have in use. For example,
you won't see whether someone's exploiting a vulnerability in
a formmail CGI that somehow was installed on your web server.
o It does not monitor outbound traffic.
o Automatic blocking makes the host vulnerable to a DoS. Consider
what would happen if someone used nmap to run a decoy scan of
the target.
o It's no longer supported as far as I know: Cisco bought out
Psionic a few months ago.
George
--
[EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
