[Snort-users] Bind Attack (newbie alert)
admin at ...1419...
Tue Mar 6 19:29:35 EST 2001
Is it possible portsentry intercepted the "attack" before snort got a chance
to? I know portsentry can block via "route reject" and TCP wrappers.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob Staaf
Sent: Tuesday, March 06, 2001 2:52 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Bind Attack (newbie alert)
Been running snort for a few hours now and ran into the following
situation. I also run Portsentry on this server and it caught a portscan on
bind. However, snort did not catch it.
Mar 6 15:13:48 swshost portsentry: attackalert: UDP scan from host:
220.127.116.11/18.104.22.168 to UDP port: 53
Mar 6 15:13:48 swshost portsentry: attackalert: Host:
22.214.171.124/126.96.36.199 is already blocked Ignoring
Any help in pointing me to the right places in my snort config to
troubleshoot this would be much appreciated!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users