Snort mailing list archives
Re: Snortsam / Portscanning Detection
From: christian graf <cg () sc-graf de>
Date: Tue, 30 Dec 2003 18:03:14 +0100
Hi Tuomas, active blocking of portscans can get you in big trouble, as it is very easy spoof the machine-src-adr. Just 2 examples: 1) using the decoys in e.g. nmap nmap can hide its own scan with some decoy-hosts, means those hosts must exist and be reachable. Your PIX will LOG all the decoys (because their adresses ahve been spoofed by the nmap-guy). If you are now blocking the scanning-guys you will mistakingly block the decoys too. 2) if the attacker is driving a idle-scan http://www.insecure.org/nmap/idlescan.html in short, using this technique the guy who is driving the scan "NEVER" sends any packet during the scan to your pix. All packets you are seeing is from the zombie-host. And therefor you will block the zombie. If somebody wants to harm you, both versions (idle-scan / decoys) are just fine to let you block anything the attacker wants! So take care when you are implementing any active-features - it may be used against yourself. christian Just Am Mo, den 29.12.2003 schrieb Tuomas Groves um 20:45:
Hey everyone, I was going to try to get our PIX firewall setup with snort / snortsam and I had a question. We are interested in having the firewall block the offending IP address when we receive a portscan, but I could not figure out where we should place the "fwsam: src, 5 minutes;" entry. Because in snort 2.1.0, I do not know about previous versions, the portscanning detection is a preprocessor. If I set the "output-mode" to "pktkludge" I can see it in the alerts database and everything, but as I said, I have no idea how to set a different output plug-in for this. That is if it can even currently be done. Any help would be greatly appreciated. Tuomas Groves ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- ------------------------------------------------------------------------ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snortsam / Portscanning Detection Tuomas Groves (Dec 29)
- Re: Snortsam / Portscanning Detection Frank Knobbe (Dec 29)
- Re: Snortsam / Portscanning Detection christian graf (Dec 31)