[Snort-users] Bind Attack (newbie alert)

Utopian Admin admin at ...1419...
Tue Mar 6 19:29:35 EST 2001


Is it possible portsentry intercepted the "attack" before snort got a chance
to?  I know portsentry can block via "route reject" and TCP wrappers.

Mike.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob Staaf
Sent: Tuesday, March 06, 2001 2:52 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Bind Attack (newbie alert)


Hello all,

     Been running snort for a few hours now and ran into the following
situation.  I also run Portsentry on this server and it caught a portscan on
bind.  However, snort did not catch it.

Mar  6 15:13:48 swshost portsentry[573]: attackalert: UDP scan from host:
216.219.244.113/216.219.244.113 to UDP port: 53
Mar  6 15:13:48 swshost portsentry[573]: attackalert: Host:
216.219.244.113/216.219.244.113 is already blocked Ignoring

Any help in pointing me to the right places in my snort config to
troubleshoot this would be much appreciated!

Thanks

Bob


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list