On Tuesday 01 July 2003 18:04, Nadav Har'El wrote:
NH>Paranoids (like me, for example) use several lines of defense.
NH>
NH>For example, here are 3 lines of defense:
That's exactly what I used (and use) before my paranoia progressed and i
started messing up with NIDS as a fourth line of defense
On Tuesday 01 July 2003 18:40, Mycroft wrote:
> AJ>
> AJ>If you want that functionality, google for "portsentry".
>
> Erm...it appears (to me at least) that portsentry has all the firewall
> ruleset blocking "functionality" that you recommended against
I *don't* recommend blocking hosts by detect
On Tuesday 01 July 2003 16:35, Shachar Shemesh wrote:
SS>
SS>The bottom line is this - if you have no open source, why do you care
SS>whether you are scanned?
SS>This mail brought to you by the person responsible for Check Point not
SS>sporting any easy-to-configure automatic retaliation system,
On Tuesday 01 July 2003 18:11, Aviram Jenik wrote:
AJ>
AJ>If you want that functionality, google for "portsentry".
Erm...it appears (to me at least) that portsentry has all the firewall ruleset
blocking "functionality" that you recommended against with the addition of
rather questionable detect
On Tuesday 01 July 2003 15:58, Mycroft wrote:
>
[snip]
> This box is my networked workstation at home, and i
> don't have open server ports. I'm merely dealing with a number of script
> kiddies that think scanning and DOSing people they meet on IRC channels
> makes them all-powerful.
[snip]
> howe
On Tue, Jul 01, 2003, Shachar Shemesh wrote about "Re: Snort - iptables addon":
> The bottom line is this - if you have no open source, why do you care
> whether you are scanned?
Paranoids (like me, for example) use several lines of defense.
For example, here are 3 lines of de
Hi,
On Tuesday 01 July 2003 17:46, josh wrote:
> > Your IDS will not block a simple connect scan (AFAIR snort does not save
> > packets and does not know that this is the 10,000th port in a row you are
> > trying to reach)
>
> FYI the portscan2 preprocessor on snort 2.0 tracks connection states.
L PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Snort - iptables addon
>
>
> On Tue, 1 Jul 2003, Aviram Jenik wrote:
>
> > "Idle scan" will actually work quite nicely here (I'm sure one of the servers
> > written above has its idle moments), but that's no
On Tue, 1 Jul 2003, Aviram Jenik wrote:
> "Idle scan" will actually work quite nicely here (I'm sure one of the servers
> written above has its idle moments), but that's not the way I would approach
> it as an attacker.
> Your IDS will not block a simple connect scan (AFAIR snort does not save
> p
Mycroft wrote:
Well I'm not securing a corporate web server here, most probably if i were,
I'd choose other means of security responce. Leaving it to professionals is
always a good idea :)). This box is my networked workstation at home, and i
don't have open server ports. I'm merely dealing wit
On Tuesday 01 July 2003 15:11, Tzafrir Cohen wrote:
TC>And suppose I don't really need the results of those scan? And this is
TC>all done just to make you block some computers?
TC>
TC>What traffic can someone make you drop?
TC>
What harm could that do? I do realize that you are right about the pot
On Tuesday 01 July 2003 15:18, Aviram Jenik wrote:
AJ>
AJ>(if my irony went undetected, I would really recommend against this
AJ>hair-triggered blocking system)
AJ>
Hmm, I am a big fan of constructive feedback. Don't we all?
AJ>"Idle scan" will actually work quite nicely here (I'm sure one of the
On Tuesday 01 July 2003 14:43, Mycroft wrote:
> On Tuesday 01 July 2003 10:13, Tzafrir Cohen wrote:
>
> TC>What happens if I spoof a portscan from a different address? Do you
> TC>block it? Now what was the IP of your DNS server?
> TC>
> That's what the "preprocessor portscan2-ignorehosts:" and "pr
On Tue, Jul 01, 2003 at 02:43:01PM +0300, Mycroft wrote:
> On Tuesday 01 July 2003 10:13, Tzafrir Cohen wrote:
>
> TC>What happens if I spoof a portscan from a different address? Do you
> TC>block it? Now what was the IP of your DNS server?
> TC>
> That's what the "preprocessor portscan2-ignorehos
On Tuesday 01 July 2003 10:13, Tzafrir Cohen wrote:
TC>What happens if I spoof a portscan from a different address? Do you
TC>block it? Now what was the IP of your DNS server?
TC>
That's what the "preprocessor portscan2-ignorehosts:" and "preprocessor
portscan-ignorehosts:" sections in the /etc/s
On Tue, Jul 01, 2003 at 02:14:12AM +0300, Mycroft wrote:
> Hello,
> Have anyone heard of/used an snort add-on that could manage iptables firewall
> in responce to a specific network events...like portscans or DOS attacks?
What happens if I spoof a portscan from a different address? Do you
block i
Yeah, look for PSAD, it is a an addon for snort that modifies iptables
automaticly in run-time :-)
Oleg.
- Original Message -
From: "Mycroft" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 01, 2003 1:14 AM
Subject: Snort - iptables addon
> H
Of Mycroft
> > Sent: Tuesday, July 01, 2003 1:14 AM
> > To: [EMAIL PROTECTED]
> > Subject: Snort - iptables addon
> >
> >
> > Hello,
> > Have anyone heard of/used an snort add-on that could manage iptables firewall
> > in responce to a specific ne
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mycroft
> Sent: Tuesday, July 01, 2003 1:14 AM
> To: [EMAIL PROTECTED]
> Subject: Snort - iptables addon
>
>
> Hello,
> Have anyone heard of/used an snort add-on that could manage iptables f
Hello,
Have anyone heard of/used an snort add-on that could manage iptables firewall
in responce to a specific network events...like portscans or DOS attacks?
I know once it's detected, snort is capable of blocking it, but i was looking
for more low-level approach to this issue, stopping the pack
20 matches
Mail list logo
