[Snort-users] Portsentry and Snort

Fyodor fygrave at ...121...
Wed Mar 7 17:45:48 EST 2001


On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> 
> >      Is anyone out there running Snort and Portsentry together?  The problem
> > I am having is that Portsentry blocks port scans before Snort can even see
> > them. 
> 
> Frankly, I'd say portsentry is crap. If you really insist on adding "drop"
> routes for IP's offending your server, you can do that with snort (at least
> I think one can execute programs as a response to triggering of a rule).
> 

Well, actually I could do worse, if it is reacting on UDP portscans and sets up routes
to block the sender, I could easily lock-up your network completely. Having 'reactive capabilities'
like this in IDS is highly unrecommended.




More information about the Snort-users mailing list