[Snort-users] Portsentry and Snort
fygrave at ...121...
Wed Mar 7 17:45:48 EST 2001
On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> > Is anyone out there running Snort and Portsentry together? The problem
> > I am having is that Portsentry blocks port scans before Snort can even see
> > them.
> Frankly, I'd say portsentry is crap. If you really insist on adding "drop"
> routes for IP's offending your server, you can do that with snort (at least
> I think one can execute programs as a response to triggering of a rule).
Well, actually I could do worse, if it is reacting on UDP portscans and sets up routes
to block the sender, I could easily lock-up your network completely. Having 'reactive capabilities'
like this in IDS is highly unrecommended.
More information about the Snort-users