[Snort-users] Portsentry and Snort

Bob Staaf rstaaf at ...1457...
Wed Mar 7 18:40:06 EST 2001


It depends on how you have Portsentry configured.  There are provisions for
an ignore file to add addresses not to trigger on.  The risk is someone
could block some legitimate users by spoofing their addresses.  I have to
disagree with the statement that portsentry is "crap".  It is a different
animal than snort and I believe I have a place for both in my network.

Bob

----- Original Message -----
From: "Fyodor" <fygrave at ...121...>
To: <Snort-users at lists.sourceforge.net>
Sent: Wednesday, March 07, 2001 5:45 PM
Subject: Re: [Snort-users] Portsentry and Snort


> On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> > On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> >
> > >      Is anyone out there running Snort and Portsentry together?  The
problem
> > > I am having is that Portsentry blocks port scans before Snort can even
see
> > > them.
> >
> > Frankly, I'd say portsentry is crap. If you really insist on adding
"drop"
> > routes for IP's offending your server, you can do that with snort (at
least
> > I think one can execute programs as a response to triggering of a rule).
> >
>
> Well, actually I could do worse, if it is reacting on UDP portscans and
sets up routes
> to block the sender, I could easily lock-up your network completely.
Having 'reactive capabilities'
> like this in IDS is highly unrecommended.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list