[Snort-users] Portsentry and Snort

Jeff Nathan jeff at ...430...
Thu Mar 8 19:06:48 EST 2001


We've discussed this back and forth on the list for a long time.  There
are very real risks with doing any form of autoblocking.  There are far
too many variables in the world of network security to count on systems
to intelligently and automatically block hosts or networks when said
system believes it is under attack.  Either you'll forget the IP of an
upstream router, the IPs of a-m.root-servers.net or something worse and
DoS yourself.  Leave the blocking to your own intelligence and the
detection to a mixture of systems and your own creative endeavors.

-Jeff


Bob Staaf wrote:
> 
> It depends on how you have Portsentry configured.  There are provisions for
> an ignore file to add addresses not to trigger on.  The risk is someone
> could block some legitimate users by spoofing their addresses.  I have to
> disagree with the statement that portsentry is "crap".  It is a different
> animal than snort and I believe I have a place for both in my network.
> 
> Bob
> 
> ----- Original Message -----
> From: "Fyodor" <fygrave at ...121...>
> To: <Snort-users at lists.sourceforge.net>
> Sent: Wednesday, March 07, 2001 5:45 PM
> Subject: Re: [Snort-users] Portsentry and Snort
> 
> > On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> > > On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> > >
> > > >      Is anyone out there running Snort and Portsentry together?  The
> problem
> > > > I am having is that Portsentry blocks port scans before Snort can even
> see
> > > > them.
> > >
> > > Frankly, I'd say portsentry is crap. If you really insist on adding
> "drop"
> > > routes for IP's offending your server, you can do that with snort (at
> least
> > > I think one can execute programs as a response to triggering of a rule).
> > >
> >
> > Well, actually I could do worse, if it is reacting on UDP portscans and
> sets up routes
> > to block the sender, I could easily lock-up your network completely.
> Having 'reactive capabilities'
> > like this in IDS is highly unrecommended.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-users mailing list