Re: Firewall stopping detection?

["J. C. Woods" <drjung () sprynet com>]

Matthew Collins wrote:
> Do you have a rule that detects NetBIOS Connections? That is what grc.com checks for. Not a lot of use against Debian 
> (unless you are running samba).
>
> > > > David Findlay <david_j_findlay () yahoo com au> 20/08/01 12:46:09 >>>
> I have just install snort from Debian Unstable, and customised the configf
>  ile to suit my system. I then went to grc.com and used the probe my portst
>  hing, to see if snort would detect it, but I get nothing in the logs. I have
> a firewall using ipchains, which blocks all connections except for stuff
> iniated from inside. How do i get snort to still detect attack attempts
> coming in? Thanks,
>
> David
>
> P.S. Please CC me your reply as I am not a subscriber to the list. Thanks :-)

Whoa, now I am confused (no big deal)! grc.com will conduct a limited
portscan on about six or seven privileged ports. This is a attempt, by
grc.com, to connect to such ports as port 21, port 80, port 110, etc.
Now, this portscan has nothing to do with port 137 or 138. It is a
regular portscan in the mode of "nmap". grc.com does do a "shield check"
that will also check out your NetBIOS connections, if running. Whenever
I have used the grc.com portscan, snort does indeed pick it up....

drjung
 
-- 
J. Craig Woods
UNIX SA

-Art is the illusion of spontaneity-

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users