Snort mailing list archives
Re: Taking out the traffic on ports 22 and 443 suggestive?
From: Alberto Gonzalez <albertg () wwjh net>
Date: Wed, 23 Apr 2003 11:53:07 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can go ahead and do that, I personally don't see much of a problem. You can check your logs for connects to SSH that didn't provide correct protocol version credentials (banner grabbing?). <example> Apr 23 10:50:49 cerebro sshd[7892]: Bad protocol version identification '' from 127.0.0.1 </example> Something like that might indicate that someone just wanted the SSH banner. HTH Cheers, Alberto Gonzalez On Wed, 23 Apr 2003, Edin Dizdarevic wrote:
Hi everybody, I was wondering if it would make sense to relief Snort by taking out the ports 22 and 443 using the BPF filters. HTTP(S) packets are usually quite big and looking inside of them is quite senseless for obvious reasons. With SSH stream4 is additionally burdened since those packets are usually quite small and are filling up it's memory waiting to be reassembled. Senseless too, IMHO... Of course scans won't be seen, but is that really important since a simple connect scan will find those ports open? Any comments on that? Regards, Edin
- -- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+prbma3vAB/3yp/IRAsvdAJ4hESgwYqL7E3s5eQmuVQoXaM4n1QCgtEX5 eqE3pcXO6/5hVnuUKrq5qQw= =CnzA -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Taking out the traffic on ports 22 and 443 suggestive? Edin Dizdarevic (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Erek Adams (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Alberto Gonzalez (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Edin Dizdarevic (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Brian (Apr 24)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Brian (Apr 24)