Re: Stopping portscanning

[Max Lopez <mlopez () itesm mx>]

Thanks a lot Alberto:

I will think about this a little before we start to use the reset with those 
rules for NMAP and the like.

Thanks.

On Friday 07 March 2003 12:32 pm, Alberto Gonzalez wrote:
> spp_portscan2 doesn't have a tcp reset feature (IIRC). Though snort comes
> with rules to identify NMAP stealth scans, etc.. You might want to try and
> use flexresp with those rules. Though you're warned. My recommendations
> still stand. Though using a firewall for this might IMHO fair alot better.
>
> Cheers!
>    Alberto Gonzalez
>
> On Fri, 7 Mar 2003, Max Lopez wrote:
> > HI Alberto:
> >
> > Yes, I am using spp_portscan2, so my question was something like this:
> >
> > I have a RULE for the Kazaa traffic, and the "flex response" is the "tcp
> > reset".
> >
> > Now, for the  "portscan2" plugin, how do I send the same "tcp reset"??
> > Or, there are any other way to stop a portscan using Snort or some
> > plugins??
> >
> > And I am going to move the portscan2 parameters to high numbres, so the
> > web transactions are not broken (I hope).
> >
> > Thanks,.

-- 

Max Lopez
Departamento de Redes Corporativo
ITESM Sistema
Tel. (81) 8358-2000  ext. 4136
Fax. (81) 8328-4208
Monterrey Mexico.


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users