[Snort-users] Bind Attack (newbie alert)

Bob Staaf rstaaf at ...1457...
Tue Mar 6 20:40:14 EST 2001


Mike,

     That is a good question.  Portsentry is set up to block ports via TCP
Wrappers.  What do I do in this case?  This would be fine if I was just
interested in monitoring this server but, I have 2 other servers and I would
like snort to be able to log any portscans to my network.  I also do not
want to disable portsentry.  Anyone else out there running both?

Thanks

Bob

----- Original Message -----
From: "Utopian Admin" <admin at ...1419...>
To: "Bob Staaf" <rstaaf at ...1457...>; <Snort-users at lists.sourceforge.net>
Sent: Tuesday, March 06, 2001 7:29 PM
Subject: RE: [Snort-users] Bind Attack (newbie alert)


> Is it possible portsentry intercepted the "attack" before snort got a
chance
> to?  I know portsentry can block via "route reject" and TCP wrappers.
>
> Mike.
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bob Staaf
> Sent: Tuesday, March 06, 2001 2:52 PM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Bind Attack (newbie alert)
>
>
> Hello all,
>
>      Been running snort for a few hours now and ran into the following
> situation.  I also run Portsentry on this server and it caught a portscan
on
> bind.  However, snort did not catch it.
>
> Mar  6 15:13:48 swshost portsentry[573]: attackalert: UDP scan from host:
> 216.219.244.113/216.219.244.113 to UDP port: 53
> Mar  6 15:13:48 swshost portsentry[573]: attackalert: Host:
> 216.219.244.113/216.219.244.113 is already blocked Ignoring
>
> Any help in pointing me to the right places in my snort config to
> troubleshoot this would be much appreciated!
>
> Thanks
>
> Bob
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list