Snort mailing list archives
RE: Portscan: ignoreports option
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 10 Feb 2002 18:48:34 -0800 (PST)
On Sun, 10 Feb 2002, Andy Leigh wrote:
BPF filters seemed a good way to go as well, but when I tried to put a filter together I became discouraged. The portscan is mostly being tripped off each Windows 9x client trying boot-up and log in. The first time you analyse how it does it, your jaw drops. For a network with only one PDC or a PDC + BDC, I'm certain that this is not a problem. What I see is this:
[...snip...] *gack*
Imagine 500 machines all booting up!
Dear lord.... I'm so glad I don't have to deal with that kind of 'fun'.
I could put a BPF filter in on "any 135:139" going to all the addresses in the WINS boxes, but I think that I would then miss important other weird behaviour against the NetBIOS structure. A "Portscan: ignoreports" option would let me do all normal tracking, but not go made with W9x bootup behaviour.
Yep, in the situation a ignoreports option would be the only thing that could save you.
By the way, all W9x clients do this behaviour with "administrator" as the logon ID. Given that the machines aren't logging in, they are just probing, I think this was irresponsible behaviour by the MS coders.
Well, It's not the optimum solution, but you could replace all those M$ boxes with SunRays, *BSD boxes, Linux boxes, etc... :) Ok, it's a dream... Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan: ignoreports option Andy Leigh (Feb 08)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- <Possible follow-ups>
- RE: Portscan: ignoreports option Andy Leigh (Feb 10)
- RE: Portscan: ignoreports option Erek Adams (Feb 10)