Snort mailing list archives
Re: port scan rule
From: Jason <jason () brvenik com>
Date: Thu, 9 May 2013 17:27:43 -0400
You can't really block port scans, you can potentially block port scanners. The problem is that a port scan can manifest in hundreds of ways, from hundreds of sources, or be an errant typo from one person trying to connect to a different system. When you see an event for a port scan it means that the system identified activity typical of a scan, you would then need to block the scanner _entirely_ to prevent them from being able to continue the scan. It is really a futile effort as it opens you up to trivial denial of service. On Thu, May 9, 2013 at 5:22 PM, Balla István <balla.bmf () gmail com> wrote:
hey guys,
could you tell me which rule should I set to drop if I wanna block all
port scan?
from my snort.conf:
*preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
{ medium } detect_ack_scan*s
if i m right it only detects ack flags without 3w hs. my question is how
to configure it to detect all port scans and which rules to set to drop?
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- port scan rule Balla István (May 09)
- Re: port scan rule Balla István (May 09)
- Re: port scan rule ARUN PUSHKAR (May 13)
- Re: port scan rule Jason (May 09)
- Re: port scan rule Balla István (May 09)