Menu
▾
▴
Re: [Snort-inline-users] portscan preprocessors and drop mode
|
From: Josh B. <jos...@ne...> - 2003-11-11 16:57:16
|
I would be most interested in getting the arpspoof preprocessor to block. I don't believe it does right now. I would also like to know how to compile snort statically so I don't have to repatch/compile on each sensor that I setup. I just want to be able to copy/paste the binary like the binary package for snort-inline on sourceforge. > this would be a nice thing to have......... > > > > > Rob McMillen <rv...@ca...> > > Sent by: sno...@li... > 11/11/2003 12:37 AM > > To: sno...@li... > cc: > Subject: Re: [Snort-inline-users] portscan preprocessors > and drop mode > > WARNING: Unsanitized content follows. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matt, > snort-inline does not drop packets based on the portscan > preprocessor. However, it would be pretty easy to modify it so it does. > Is this something that would be of interest to the list? > Anyone > have any pros and cons? It might be nice to drop portscans, but how many > false positives does the portscan preprocessor generate? > > Rob > > P.S. If I get enough responses, I'll modify/add to the portscan > preprocessor so it is capable of dropping packets when it detects a port > scan. > > On Mon, 10 Nov 2003, Matt Linton wrote: > >> >> Greetings everyone; >> >> Is anyone willing to share a clear understanding of how the portscan >> preprocessor works under snort-inline? I've done some testing and my >> gateway doesn't seem to be blocking any portscan traffic. >> >> I have two snort gateways in bridge mode, set up as follows: >> >> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet >> >> When doing a portscan from the Laptop to a machine on the internet, I >> should see traffic logged in the portscan log on gateway1 and very > little >> on gateway2, if 1 is blocking correctly. However, they both register all >> portscan traffic. >> >> The rule being used (on both) is: >> >> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan >> preprocessor portscan-ignorehosts: x.x.x.x (sanitized) >> >> Has portscan preprocessor not been patched to support drop mode yet? >> >> >> +--------------------------------------------------- >> | Regards; >> | Matt Linton >> | UNIX Systems Administrator >> | ASANI Solutions, LLC. >> +--------------------------------------------------- >> >> On Fri, 7 Nov 2003, Rob McMillen wrote: >> >> > The reason it fails is because the function calls between Libnet 1.1 > and >> > 1.0.2 changed a great deal. Since Flexresp depends on Libnet 1.0.2, I >> > used it for snort-inline to avoid requiring two different versions of >> > Libnet. >> > >> > Rob >> > >> > On Fri, 7 Nov 2003, Stephan Scholz wrote: >> > >> > > Hi Josh, >> > > >> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I > switched >> > > back to Libnet 1.0.2. >> > > >> > > Stephan >> > >> > >> > >> > >> > ------------------------------------------------------- >> > This SF.Net email sponsored by: ApacheCon 2003, >> > 16-19 November in Las Vegas. Learn firsthand the latest >> > developments in Apache, PHP, Perl, XML, Java, MySQL, >> > WebDAV, and more! http://www.apachecon.com/ >> > _______________________________________________ >> > Snort-inline-users mailing list >> > Sno...@li... >> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > ------------ Output from pgp ------------ >> > Pretty Good Privacy(tm) Version 6.5.2 >> > (c) 1999 Network Associates Inc. >> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, > Inc. >> > Export of this software may be restricted by the U.S. government. >> > File is signed. signature not checked. >> > Signature made 2003/11/08 02:46 GMT >> > key does not meet validity threshold. >> > WARNING: Because this public key is not certified with a trusted >> > signature, it is not known with high confidence that this public key >> > actually belongs to: "(KeyID: 0xBD28B8DD)". >> > >> > >> >> >> ------------------------------------------------------- >> This SF.Net email sponsored by: ApacheCon 2003, >> 16-19 November in Las Vegas. Learn firsthand the latest >> developments in Apache, PHP, Perl, XML, Java, MySQL, >> WebDAV, and more! http://www.apachecon.com/ >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z > aNyVAbEpGuP0/XfzmLxHWwZd > =NcBx > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > Thanks, Josh Berry, CTO LinkNet-Solutions 469-831-8543 jos...@li... |
