[Snort-users] New to snort...what do these mean???

Vitaly McLain twistah at ...93...
Tue Oct 10 23:22:53 EDT 2000


Hi,

>> how do i block these portscans?

You could also make Snort set IPCHAINS rules to block the attacking IP, but
I wouldn't
do that (auto-blocking of IPs is a bad idea (tm), because it will block on
false positives and you become
vulnurable to some very interesting DoS possibilities.)


>> how can i tell which port they are scanning

This basic concept of a portscan is this: an attacker scans a wide range of
ports on your computer
to determine which ones are open. Thus there is no one port they are
scanning. If you want to know
what RANGE of ports they are scanning, take a look at the various alerts in
/var/log/snort/<attacking.ip>.
That should give you some idea (replace <attacking.ip> with the IP address
of the person who is scanning
you).

I am looking at the log you posted, and I am fairly sure you did NOT get
portscanned. It was a false positive. Look at this:
>> across 1 hosts: TCP(1), UDP(0) STEALTH
Only 1 TCP connection is not a portscan. Even a portscan which scans a small
range of ports should have connects in the double digits.

If you want to know more about portscanning/attack methods/security in
general, I recommend you pick up a book. "Hacking Exposed" was pretty good.
I heard nice things about "Maximum Linux Security", though I thought
"Maximum Security" was..well..not very good :) Another one that just came
out is "Hackproofing Your Network" (I think that's the title). I haven't
read it yet, but given it's list of authors, it should be pretty damn good.

Vitaly McLain
twistah at ...93...





More information about the Snort-users mailing list