[Snort-users] Portsentry and Snort

Utopian Admin admin at ...1419...
Wed Mar 7 18:11:43 EST 2001

Somewhat.  If you can maintain a sane "exclusions" list, it works fine.
Here's another aspect of "reactive", not often considered.  One of the
biggest problems with security is the lack of training/awareness.
Sometimes, a little pain can teach a big lesson.  I work in an environment
where tickets are opened automatically on various events.  Where IDS is
concerned, if a user calls about "I can't get to host x", and I can
correlate that with some event they instigated (by accident, or
intentionally), I can inform them that we know, and tell them *why* it
happened, as ask them not to do that "thing" again.  End result - someone
who knows a little more about security.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Fyodor
Sent: Wednesday, March 07, 2001 4:46 PM
To: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Portsentry and Snort

On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> >      Is anyone out there running Snort and Portsentry together?  The
> > I am having is that Portsentry blocks port scans before Snort can even
> > them.
> Frankly, I'd say portsentry is crap. If you really insist on adding "drop"
> routes for IP's offending your server, you can do that with snort (at
> I think one can execute programs as a response to triggering of a rule).

Well, actually I could do worse, if it is reacting on UDP portscans and sets
up routes
to block the sender, I could easily lock-up your network completely. Having
'reactive capabilities'
like this in IDS is highly unrecommended.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list