[Snort-users] Bind Attack (newbie alert)

Fyodor fygrave at ...121...
Wed Mar 7 15:31:07 EST 2001


On Tue, Mar 06, 2001 at 06:29:35PM -0600, Utopian Admin wrote:
> Is it possible portsentry intercepted the "attack" before snort got a chance
> to?  I know portsentry can block via "route reject" and TCP wrappers.
> 

no, snort should see it at the same time. The probable reason why snort didn't see
the portscan is that either your portscan threshold(sp) is too relaxed (and seen amount
of packets wasn't enough to consider it as portscan), or target/source host(s) were
in ignorehosts directive. (then snort's portscan plugin will not count'em at all).





More information about the Snort-users mailing list