Snort mailing list archives
Re: port scan rule
From: Jason <jason () brvenik com>
Date: Thu, 9 May 2013 17:27:43 -0400
You can't really block port scans, you can potentially block port scanners. The problem is that a port scan can manifest in hundreds of ways, from hundreds of sources, or be an errant typo from one person trying to connect to a different system. When you see an event for a port scan it means that the system identified activity typical of a scan, you would then need to block the scanner _entirely_ to prevent them from being able to continue the scan. It is really a futile effort as it opens you up to trivial denial of service. On Thu, May 9, 2013 at 5:22 PM, Balla István <balla.bmf () gmail com> wrote:
hey guys, could you tell me which rule should I set to drop if I wanna block all port scan? from my snort.conf: *preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } detect_ack_scan*s if i m right it only detects ack flags without 3w hs. my question is how to configure it to detect all port scans and which rules to set to drop? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- port scan rule Balla István (May 09)
- Re: port scan rule Balla István (May 09)
- Re: port scan rule ARUN PUSHKAR (May 13)
- Re: port scan rule Jason (May 09)
- Re: port scan rule Balla István (May 09)