Snort mailing list archives
Snort as Firewall Check?
From: Dick via Snort-users <snort-users () lists snort org>
Date: Fri, 16 Aug 2019 11:52:39 -0700
For some time, I have wondered if the firewall log on my router was accurately detecting the various types of internet ugliness (Denial of Service, Port Scans, etc.)
It occurred to me that I could set up a machine in the router DMZ and separately monitor internet traffic using something like Snort. The new Raspberry Pi 4 seems like a possible candidate, what with 4GB memory and a true gigabit ethernet port.
Before charging down that track, I want to confirm that this is something Snort would be useful for. Here are some of the things the router reports:
[DoS Attack: ACK Scan] from source: 103.38.23.5, port 80, Thursday, August 08, 2019 04:54:39 [DoS Attack: ACK Scan] from source: 13.33.227.116, port 443, Sunday, August 04, 2019 16:50:54 [DoS Attack: ACK Scan] from source: 13.33.231.78, port 443, Tuesday, August 06, 2019 21:16:50 [DoS Attack: SYN/ACK Scan] from source: 104.196.243.253, port 80, Tuesday, August 06, 2019 08:48:23 [DoS Attack: SYN/ACK Scan] from source: 108.187.116.197, port 80, Monday, August 12, 2019 06:57:30 [DoS Attack: SYN/ACK Scan] from source: 108.187.116.197, port 80, Monday, August 12, 2019 14:52:03 [DoS Attack: RST Scan] from source: 104.27.133.183, port 80, Saturday, August 03, 2019 00:41:47 [DoS Attack: RST Scan] from source: 107.77.253.8, port 19092, Friday, August 02, 2019 22:25:50 [DoS Attack: RST Scan] from source: 113.160.23.146, port 56688, Sunday, August 11, 2019 18:56:03 [DoS Attack: TCP/UDP Chargen] from source: 104.152.52.35, port 47986, Monday, August 12, 2019 15:30:18 [DoS Attack: TCP/UDP Chargen] from source: 120.52.152.15, port 55340, Friday, August 09, 2019 03:03:18 [DoS Attack: TCP/UDP Chargen] from source: 120.52.152.17, port 58914, Friday, August 09, 2019 08:15:56 [DoS Attack: TCP/UDP Echo] from source: 104.152.52.35, port 47986, Monday, August 12, 2019 15:35:52 [DoS Attack: TCP/UDP Echo] from source: 136.41.0.79, port 49250, Sunday, August 11, 2019 15:03:22 [DoS Attack: TCP/UDP Echo] from source: 136.41.0.79, port 49250, Sunday, August 11, 2019 15:03:25
Please forgive me if this question is inappropriate. My internet searches have not turned up information that helps me with this decision.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort as Firewall Check? Dick via Snort-users (Aug 19)
- Re: Snort as Firewall Check? Nihal Desai (nihdesai) via Snort-users (Aug 19)