Snort mailing list archives
Re: Portscan: ignoreports option
From: Erek Adams <erek () theadamsfamily net>
Date: Sat, 9 Feb 2002 13:01:46 -0800 (PST)
On Sat, 9 Feb 2002, Jon Hart wrote: [...snip...]
The problem is that you may just be shooting yourself in the foot with a directive like this. If I had "portscan-ignoreports: 20" in my config file, all an attacker would have to do to evade my IDS would be to send traffic from port 20. Thats assuming an ignoreports directive would only apply to one of src_port or dst_port, but even that is open to debate.
[...snip...] Unless I'm missing something... Couldn't you use BPF filters? Snort has the ability to read in BPF filters from a file ( -F <bpf filter file> ). You could simply have something like "not host x.x.x.x and port 20" to do what you want. I might be a bit off on this, discussions are welcome! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan: ignoreports option Andy Leigh (Feb 08)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- <Possible follow-ups>
- RE: Portscan: ignoreports option Andy Leigh (Feb 10)
- RE: Portscan: ignoreports option Erek Adams (Feb 10)