Re: [PEN-TEST] Undetectible NMAP scans

[Swen Schisler <sschisler () VIRBUS DE>]

Am Son, 27 Aug 2000 schrieben Sie:
> Jose Nazario wrote:
> > On Thu, 24 Aug 2000, Devdas Bhagat wrote:
> >
> > > Its moved to http://www.openwall.com/scanlogd .
> >
> > while scanlogd can detect them, along with some other tools (scanlogd is
> > my personal favorite), you can't stop stealth scans, either, without a
> > packet filter that lets you block on the basis of arbitrary flags. ichains
> > doesn't have that capability, as i recall. (i use OpenBSD/ipfilter
> > firewalls, FWIW.)
>
> Even tho people recommend Snort over it, I still prefer Abacus PortSentry
> (http://www.psionic.com/abacus/portsentry/).
>
> It's config allows for active response to portscans.  It contains a list of
> defaults for ipfwadm as well as ipchains for a variety of OS flavors.  Given the

snort, at least is able to reset connections if configured with the
--enable-flexresp flag. Then you can add in the rules file something like
resp=<something_to_do> to an event signature to define an action which snort
should perform if the event occurs.   The defined actions you can read in the
README.FLEXRESP in the snort directory.

> manner it works in, I reckon it'd be no problem at all to deploy it functioning
> with iptables/ipfilters.  Also, if you don't care to drop routes, it will dump
> offending IPs into hosts.deny.
>
> BSD Today has an article at http://www.bsdtoday.com/2000/July/Features233.html
> as well.
>
> Psionic offers a log analyzer, LogCheck, on their site also.  Works very well in
> conjunction with Portsentry or Snort.
>
> -aj.

--------------------------------------------------------------------------------
Swen Schisler
VIRBUS AG
Leipzig
Germany
Tel.: +49-341/9797407
E-mail: sschisler () virbus de
--------------------------------------------------------------------------------

In a world without walls and fences, nobody need gates and windows.