Menu
▾
▴
Re: [Snort-inline-users] portscan preprocessors and drop mode
|
From: <Wil...@kc...> - 2003-11-11 16:32:00
|
this would be a nice thing to have.........
Rob McMillen <rv...@ca...>
Sent by: sno...@li...
11/11/2003 12:37 AM
To: sno...@li...
cc:
Subject: Re: [Snort-inline-users] portscan preprocessors
and drop mode
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matt,
snort-inline does not drop packets based on the portscan
preprocessor. However, it would be pretty easy to modify it so it does.
Is this something that would be of interest to the list?
Anyone
have any pros and cons? It might be nice to drop portscans, but how many
false positives does the portscan preprocessor generate?
Rob
P.S. If I get enough responses, I'll modify/add to the portscan
preprocessor so it is capable of dropping packets when it detects a port
scan.
On Mon, 10 Nov 2003, Matt Linton wrote:
>
> Greetings everyone;
>
> Is anyone willing to share a clear understanding of how the portscan
> preprocessor works under snort-inline? I've done some testing and my
> gateway doesn't seem to be blocking any portscan traffic.
>
> I have two snort gateways in bridge mode, set up as follows:
>
> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
>
> When doing a portscan from the Laptop to a machine on the internet, I
> should see traffic logged in the portscan log on gateway1 and very
little
> on gateway2, if 1 is blocking correctly. However, they both register all
> portscan traffic.
>
> The rule being used (on both) is:
>
> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
> preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
>
> Has portscan preprocessor not been patched to support drop mode yet?
>
>
> +---------------------------------------------------
> | Regards;
> | Matt Linton
> | UNIX Systems Administrator
> | ASANI Solutions, LLC.
> +---------------------------------------------------
>
> On Fri, 7 Nov 2003, Rob McMillen wrote:
>
> > The reason it fails is because the function calls between Libnet 1.1
and
> > 1.0.2 changed a great deal. Since Flexresp depends on Libnet 1.0.2, I
> > used it for snort-inline to avoid requiring two different versions of
> > Libnet.
> >
> > Rob
> >
> > On Fri, 7 Nov 2003, Stephan Scholz wrote:
> >
> > > Hi Josh,
> > >
> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I
switched
> > > back to Libnet 1.0.2.
> > >
> > > Stephan
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by: ApacheCon 2003,
> > 16-19 November in Las Vegas. Learn firsthand the latest
> > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > WebDAV, and more! http://www.apachecon.com/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > ------------ Output from pgp ------------
> > Pretty Good Privacy(tm) Version 6.5.2
> > (c) 1999 Network Associates Inc.
> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security,
Inc.
> > Export of this software may be restricted by the U.S. government.
> > File is signed. signature not checked.
> > Signature made 2003/11/08 02:46 GMT
> > key does not meet validity threshold.
> > WARNING: Because this public key is not certified with a trusted
> > signature, it is not known with high confidence that this public key
> > actually belongs to: "(KeyID: 0xBD28B8DD)".
> >
> >
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z
aNyVAbEpGuP0/XfzmLxHWwZd
=NcBx
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
