Snort mailing list archives
RE: Nmap
From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 20 Nov 2003 09:19:36 -0600
Er..maybe the webserver communicates with other servers on another port? Like directory services...etc? I suppose it depends on where the firewall is, and where ther other internal servers are..etc. I dunno, but I have this nagging feeling that source-port filtering really doesn't accomplish much. I mean, today's attacks occur on the public ports, such as port 80, 443, 21...etc. What you're doing is introducing outbound header inspection, just to avoid the server responding from any other port besides 80. What is the purpose of this anyways? Cheese, Marc
--__--__--
Message: 4 Subject: RE: [Snort-users] Nmap Date: Wed, 19 Nov 2003 12:02:31 -0600 From: <bmcdowell () coxhealthplans com> To: <snort-users () lists sourceforge net>
You know what, I just realized that I do do some filtering based on the = source port: outbound filtering. E.g.
iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP
There isn't anything wrong with doing that, is there?
Bob
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available