Re: Taking out the traffic on ports 22 and 443 suggestive?

[Alberto Gonzalez <albertg () wwjh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


You can go ahead and do that, I personally don't see much of a problem. 
You can check your logs for connects to SSH that didn't provide correct 
protocol version credentials (banner grabbing?). 

<example>

Apr 23 10:50:49 cerebro sshd[7892]: Bad protocol version identification '' from 127.0.0.1

</example> 

Something like that might indicate that someone just wanted the SSH 
banner. 

HTH

 Cheers,
 Alberto Gonzalez 

On Wed, 23 Apr 2003, Edin Dizdarevic wrote:

> Hi everybody,
>
> I was wondering if it would make sense to relief Snort by taking
> out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> usually quite big and looking inside of them is quite senseless for
> obvious reasons. With SSH stream4 is additionally burdened since those
> packets are usually quite small and are filling up it's memory waiting
> to be reassembled. Senseless too, IMHO...
>
> Of course scans won't be seen, but is that really important since
> a simple connect scan will find those ports open?
>
> Any comments on that?
>
> Regards,
>
> Edin

- -- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+prbma3vAB/3yp/IRAsvdAJ4hESgwYqL7E3s5eQmuVQoXaM4n1QCgtEX5
eqE3pcXO6/5hVnuUKrq5qQw=
=CnzA
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users