RE: Portscan: ignoreports option

[Erek Adams <erek () theadamsfamily net>]

On Sun, 10 Feb 2002, Andy Leigh wrote:

> BPF filters seemed a good way to go as well, but when I tried to put a
> filter together I became discouraged. The portscan is mostly being tripped
> off each Windows 9x client trying boot-up and log in. The first time you
> analyse how it does it, your jaw drops. For a network with only one PDC or a
> PDC + BDC, I'm certain that this is not a problem. What I see is this:

[...snip...]

*gack*

> Imagine 500 machines all booting up!

Dear lord....  I'm so glad I don't have to deal with that kind of 'fun'.

> I could put a BPF filter in on "any 135:139" going to all the addresses in
> the WINS boxes, but I think that I would then miss important other weird
> behaviour against the NetBIOS structure. A "Portscan: ignoreports" option
> would let me do all normal tracking, but not go made with W9x bootup
> behaviour.

Yep, in the situation a ignoreports option would be the only thing that could
save you.

> By the way, all W9x clients do this behaviour with "administrator" as the
> logon ID. Given that the machines aren't logging in, they are just probing,
> I think this was irresponsible behaviour by the MS coders.

Well, It's not the optimum solution, but you could replace all those M$ boxes
with SunRays, *BSD boxes, Linux boxes, etc...  :)  Ok, it's a dream...

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users