Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Nmap

From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 20 Nov 2003 09:19:36 -0600



Er..maybe the webserver communicates with other servers on another port? Like
directory services...etc? I suppose it depends on where the firewall is, and
where ther other internal servers are..etc.
I dunno, but I have this nagging feeling that source-port filtering really
doesn't accomplish much. I mean, today's attacks occur on the public ports, such
as port 80, 443, 21...etc. What you're doing is introducing outbound header
inspection, just to avoid the server responding from any other port besides 80.
What is the purpose of this anyways?

Cheese,

Marc




--__--__--



Message: 4
Subject: RE: [Snort-users] Nmap
Date: Wed, 19 Nov 2003 12:02:31 -0600
From: <bmcdowell () coxhealthplans com>
To: <snort-users () lists sourceforge net>




You know what, I just realized that I do do some filtering based on the =
source port:  outbound filtering.  E.g.



iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP



There isn't anything wrong with doing that, is there?




Bob





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: