This is fairly strange, since scanning ports 20-25 + OS fingerprint should
have generated something like... 20-25 messages. My IDS tends to accumulate
that amount of scans/exploits/other crap in about 2-3 hours. Your firewall
must be invisible or something because when I say IDS I mean it is ins
This is fairly strange, since scanning ports 20-25 + OS fingerprint should
have generated something like... 20-25 messages. My IDS tends to accumulate
that amount of scans/exploits/other crap in about 2-3 hours. Your firewall
must be invisible or something because when I say IDS I mean it is in
Dmitriy Kropivnitskiy <[EMAIL PROTECTED]> writes:
[snip]
> > how does this stop the scanner from identifying open ports?
>
> If you actually drop packets instead of rejecting them your port scanner
> will slow down to a crawl, since it has to wait for timeout on every try.
Bzzt.
Push out lo
On Wednesday 14 November 2001 08:08 am, thomas lakofski wrote:
> On 14 Nov 2001, Tim Haynes wrote:
> > If you want to stop port-scans, use a proper firewall with DENY
> > (ipchains) or DROP (iptables) by default.
>
> how does this stop the scanner from identifying open ports?
>
If you actually dro
Dmitriy Kropivnitskiy <[EMAIL PROTECTED]> writes:
[snip]
> > how does this stop the scanner from identifying open ports?
>
> If you actually drop packets instead of rejecting them your port scanner
> will slow down to a crawl, since it has to wait for timeout on every try.
Bzzt.
Push out l
On Wednesday 14 November 2001 08:08 am, thomas lakofski wrote:
> On 14 Nov 2001, Tim Haynes wrote:
> > If you want to stop port-scans, use a proper firewall with DENY
> > (ipchains) or DROP (iptables) by default.
>
> how does this stop the scanner from identifying open ports?
>
If you actually dr
thomas lakofski <[EMAIL PROTECTED]> writes:
> > I've considered it, to some extent, but in my case I figured it's best
> > just to look at snort's logs in a bit more detail before blocking
> > things left right & center.
>
> yes, familiarity with the traffic patterns you get over a few weeks is
>
On 14 Nov 2001, Tim Haynes wrote:
> > that looks pretty practical. have you considered looking at something
> > like 'guardian' http://www.chaotic.org/guardian/ to do automated response
> > to selected snort rules?
>
> I've considered it, to some extent, but in my case I figured it's best just
> t
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip how I set up a box]
> > It's pretty rarely that I see any abuse that gets as far down the chain
> > as to deserve human intervention.
>
> that looks pretty practical. have you considered looking at something
> like 'guardian' http://www.chaotic.or
On 14 Nov 2001, Tim Haynes wrote:
> Personally, I go for
> a) DROP-by-default firewall with stateful filtering in iptables;
> b) such ports that are wide open (22, 80, 53/udp... whatever) are still
>behind the protection of `INVALID';
> c) such services that listen on the open ports are as sec
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip, `get a good firewall']
> > > how does this stop the scanner from identifying open ports?
> >
> > Why is a port open to a scanner's IP#, if not in order to be used?
>
> good point. what we're trying to do here though is heuristically (or more
> si
On 14 Nov 2001, Tim Haynes wrote:
> thomas lakofski <[EMAIL PROTECTED]> writes:
>
> [snip]
> > snort (as you mention) good for detecting attacks on ports you must
> > provide service on -- portsentry is just the one facet but the question
> > was in re portscans.
> >
> > > If you want to stop port
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip]
> snort (as you mention) good for detecting attacks on ports you must
> provide service on -- portsentry is just the one facet but the question
> was in re portscans.
>
> > If you want to stop port-scans, use a proper firewall with DENY
> > (ipch
On 14 Nov 2001, Tim Haynes wrote:
> Frying pan:
>
> If done properly... it's a risk, but one that's assessable.
i assess it to be high :)
> > if you want to stop portscans maybe portsentry would help you?
>
> Fire:
>
> If you use portsentry in dynamic mode, you're open to spoofed IP#s just as
>
thomas lakofski <[EMAIL PROTECTED]> writes:
> On Tue, 13 Nov 2001, phadell wrote:
>
> > I would like to do a rule that mirror the packets that incoming from a
> > portscanner. The rule must return the packets to the source. If anyone
> > scan my machine ports, the result will be the list of sourc
On Tue, 13 Nov 2001, phadell wrote:
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address open ports.
this will enable an attacker
thomas lakofski <[EMAIL PROTECTED]> writes:
> > I've considered it, to some extent, but in my case I figured it's best
> > just to look at snort's logs in a bit more detail before blocking
> > things left right & center.
>
> yes, familiarity with the traffic patterns you get over a few weeks is
On 14 Nov 2001, Tim Haynes wrote:
> > that looks pretty practical. have you considered looking at something
> > like 'guardian' http://www.chaotic.org/guardian/ to do automated response
> > to selected snort rules?
>
> I've considered it, to some extent, but in my case I figured it's best just
>
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip how I set up a box]
> > It's pretty rarely that I see any abuse that gets as far down the chain
> > as to deserve human intervention.
>
> that looks pretty practical. have you considered looking at something
> like 'guardian' http://www.chaotic.o
On 14 Nov 2001, Tim Haynes wrote:
> Personally, I go for
> a) DROP-by-default firewall with stateful filtering in iptables;
> b) such ports that are wide open (22, 80, 53/udp... whatever) are still
>behind the protection of `INVALID';
> c) such services that listen on the open ports are as se
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip, `get a good firewall']
> > > how does this stop the scanner from identifying open ports?
> >
> > Why is a port open to a scanner's IP#, if not in order to be used?
>
> good point. what we're trying to do here though is heuristically (or more
> s
On 14 Nov 2001, Tim Haynes wrote:
> thomas lakofski <[EMAIL PROTECTED]> writes:
>
> [snip]
> > snort (as you mention) good for detecting attacks on ports you must
> > provide service on -- portsentry is just the one facet but the question
> > was in re portscans.
> >
> > > If you want to stop por
thomas lakofski <[EMAIL PROTECTED]> writes:
[snip]
> snort (as you mention) good for detecting attacks on ports you must
> provide service on -- portsentry is just the one facet but the question
> was in re portscans.
>
> > If you want to stop port-scans, use a proper firewall with DENY
> > (ipc
On 14 Nov 2001, Tim Haynes wrote:
> Frying pan:
>
> If done properly... it's a risk, but one that's assessable.
i assess it to be high :)
> > if you want to stop portscans maybe portsentry would help you?
>
> Fire:
>
> If you use portsentry in dynamic mode, you're open to spoofed IP#s just as
>
thomas lakofski <[EMAIL PROTECTED]> writes:
> On Tue, 13 Nov 2001, phadell wrote:
>
> > I would like to do a rule that mirror the packets that incoming from a
> > portscanner. The rule must return the packets to the source. If anyone
> > scan my machine ports, the result will be the list of sour
On Tue, Nov 13, 2001 at 02:06:56AM -0200, phadell wrote:
> hello there,
>
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address o
On Tue, 13 Nov 2001, phadell wrote:
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address open ports.
this will enable an attacker
On Tue, Nov 13, 2001 at 02:06:56AM -0200, phadell wrote:
> hello there,
>
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address
On Tue, Nov 13, 2001 at 02:06:56AM -0200, phadell wrote:
> hello there,
>
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address o
hello there,
I would like to do a rule that mirror the packets that incoming from a
portscanner.
The rule must return the packets to the source. If anyone scan my machine
ports, the result will be the list of source address open ports.
Anyone could help me with this rule?
phadell
ps.: sorry
On Tue, Nov 13, 2001 at 02:06:56AM -0200, phadell wrote:
> hello there,
>
> I would like to do a rule that mirror the packets that incoming from a
> portscanner.
> The rule must return the packets to the source. If anyone scan my machine
> ports, the result will be the list of source address
hello there,
I would like to do a rule that mirror the packets that incoming from a
portscanner.
The rule must return the packets to the source. If anyone scan my machine
ports, the result will be the list of source address open ports.
Anyone could help me with this rule?
phadell
ps.: sorr
32 matches
Mail list logo