IDS mailing list archives
What about PortSentry?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 3 Sep 2003 09:47:07 -0500
-----Original Message----- From: Daniel Cid [mailto:danielcid () yahoo com br] Sent: Wednesday, September 03, 2003 8:30 AM To: Schmehl, Paul L Cc: focus-ids () securityfocus com Subject: RE: Top IPS - please read for invitation to Network World
review.
Yeah, you can add some hosts to be ignored. But you will never put "all" of them. It`s very easy to get a lot of problems using this kind of software. btw, what is the advantage to block port scans ? The important thing is to keep your system safe. And if an attacker notices that his ip is being blocked after a port scan, he will know that you are running this kind of IPS and will change his way to attack the system. It is not going to add any benefit
Huh? If, every time you attempt to port scan my box, you get blocked at the firewall, sooner or later you're going to run out of IPs to attack me from. And the only hosts that I would *want* to ignore would be ones that I trust. Remember, we're talking about HIDS/HIPS, *not* NIDS. I have been running PortSentry on an Internet-exposed web server (no protection except host-based) for over two years now, and I have yet to see even a successful *attempt* to scan the box. The only attacks that make it through are directed attacks, such as an attempt to login to ssh, and those get blocked in other ways. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- What about PortSentry? Schmehl, Paul L (Sep 05)