IDS mailing list archives

Previous By Date Next
Previous By Thread Next

What about PortSentry?

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 3 Sep 2003 09:47:07 -0500
-----Original Message-----
From: Daniel Cid [mailto:danielcid () yahoo com br] 
Sent: Wednesday, September 03, 2003 8:30 AM
To: Schmehl, Paul L
Cc: focus-ids () securityfocus com
Subject: RE: Top IPS - please read for invitation to Network  World

review.


Yeah, you can add some hosts to be ignored. But you
will never put "all" of them. It`s very easy to get a
lot of problems using this kind of software. btw, what
is the advantage to block port scans ? The important
thing is to keep your system safe. And if an attacker
notices that his ip is being blocked after a port
scan, he will know that you are running this kind of
IPS and will change his way to attack the system. It
is not going to add any benefit


Huh?  If, every time you attempt to port scan my box, you get blocked at
the firewall, sooner or later you're going to run out of IPs to attack
me from.  And the only hosts that I would *want* to ignore would be ones
that I trust.  Remember, we're talking about HIDS/HIPS, *not* NIDS.

I have been running PortSentry on an Internet-exposed web server (no
protection except host-based) for over two years now, and I have yet to
see even a successful *attempt* to scan the box.  The only attacks that
make it through are directed attacks, such as an attempt to login to
ssh, and those get blocked in other ways.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: