[Snort-users] Portsentry and Snort
admin at ...1419...
Wed Mar 7 18:11:43 EST 2001
Somewhat. If you can maintain a sane "exclusions" list, it works fine.
Here's another aspect of "reactive", not often considered. One of the
biggest problems with security is the lack of training/awareness.
Sometimes, a little pain can teach a big lesson. I work in an environment
where tickets are opened automatically on various events. Where IDS is
concerned, if a user calls about "I can't get to host x", and I can
correlate that with some event they instigated (by accident, or
intentionally), I can inform them that we know, and tell them *why* it
happened, as ask them not to do that "thing" again. End result - someone
who knows a little more about security.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Fyodor
Sent: Wednesday, March 07, 2001 4:46 PM
To: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Portsentry and Snort
On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> > Is anyone out there running Snort and Portsentry together? The
> > I am having is that Portsentry blocks port scans before Snort can even
> > them.
> Frankly, I'd say portsentry is crap. If you really insist on adding "drop"
> routes for IP's offending your server, you can do that with snort (at
> I think one can execute programs as a response to triggering of a rule).
Well, actually I could do worse, if it is reacting on UDP portscans and sets
to block the sender, I could easily lock-up your network completely. Having
like this in IDS is highly unrecommended.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users