Snort mailing list archives
Re: Stopping portscanning
From: Max Lopez <mlopez () itesm mx>
Date: Fri, 7 Mar 2003 12:23:38 -0600
Ok.. actually we have a NAT, but as we are not using "Cisco Overload" nat , so every host has a "public" address (although this public address changes from time to time), not as a traditional "proxy" in wich all internal IP address goes to the Internet as just one IP referenced by the port number. In this case every host has a nat translation that last for 10 minutes, and as long as the host has traffic the translation time extends, so a port scanning to an active nat translation is succesfull since the nat is mantained by the scanning itself. Well, seems like we need a Stateful inspection system, but as we have about 20,000 hosts this gets dificult to deploy. Thanks a lot. On Friday 07 March 2003 11:59 am, twig les wrote:
Stateful inspection/NAT at the border works well, although not always feasible. We also end almost all of our Cisco acls with a "deny ip any any log" and that helps too. I don't see Snort doing this very well, especially because of the high rate of false positives in this area. --- Max Lopez <mlopez () itesm mx> wrote:Hi: I am using Snort to detect Kazaa and Gnutella trafic, and to send a TCP Reset to both IPs when the Snort detects the traffic, we have been able to lower the traffic in our "Internet 2" serial (E3-34mbps) from 10-12mbps to 1-2 mbps. Now I am seeing a lot of portscans, so I am looking for some way to stop that portscanning, I am not sure if there is some way to send TCP_RESETs or HOST_UNREACHABLE icmp's.. do you have any way of stopping those scans?? Thanks a lot. -- Max Lopez Departamento de Redes Corporativo ITESM Sistema Tel. (81) 8358-2000 ext. 4136 Fax. (81) 8328-4208 Monterrey Mexico. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
-- Max Lopez Departamento de Redes Corporativo ITESM Sistema Tel. (81) 8358-2000 ext. 4136 Fax. (81) 8328-4208 Monterrey Mexico. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping portscanning Max Lopez (Mar 07)
- Re: Stopping portscanning twig les (Mar 07)
- Re: Stopping portscanning Max Lopez (Mar 07)
- Re: Stopping portscanning Alberto Gonzalez (Mar 07)
- Re: Stopping portscanning Max Lopez (Mar 07)
- Re: Stopping portscanning Alberto Gonzalez (Mar 07)
- Re: Stopping portscanning Max Lopez (Mar 07)
- Re: Stopping portscanning Max Lopez (Mar 07)
- Re: Stopping portscanning twig les (Mar 07)