Menu
▾
▴
Re: [Snort-inline-users] portscan preprocessors and drop mode
|
From: Jed H. <je...@gr...> - 2003-11-12 17:22:12
|
I've modified portscan2 to drop packets before, in fact the main reason I wrote portscan2 was with the hope of getting an accurate enough portscan detector that you could drop packets in a scan without breaking your network. It's pretty simple to do, you just have to add InlineDrop() to the portscan2 code where it has determined that a packet is a part of a portscan. Look for the function that logs to the text file, and put InlineDrop() in the same place where the log function is called. Ideally you'd add some ifdefs, and some sort of config switch so it would be possible to turn scan dropping on/off in the config file. In my experiments on my small network, and at a couple conference networks, dropping portscans works well, if you just drop the packets it can really slow the portscanner down. You probably do not want to send rejects... Jed On Tuesday, November 11, 2003, at 07:11 PM, Rob McMillen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> Try this, Rob correct me if I'm wrong. >> >> LDFLAGS="-static" ./configure --enable-inline > > Almost ;) If you edit the Makefile and then run ./configure, the > configure script will create a new Makefile and your changes will be > lost. > You need to first run ./configure (you don't need the --enable-inline) > then edit the src/Makefile. Either changing the snort_LDFLAGS or > LDFLAGS > should work. > > Rob > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBP7GW6PnAyY+9KLjdEQKstACeLmreldakuZvd1BIisBk4Z/fArDIAnRcx > Pft5o6itdT2oAl1NOqZCOq5e > =vToN > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |