[Snort-users] Portsentry and Snort

Bob Staaf rstaaf at ...1457...
Wed Mar 7 20:09:36 EST 2001


I have been running Portsentry for more than a year on all of my Linux
servers and workstations and have never run into a problem on any of them.
I understand what your concerns are and with proper configuration the chance
of that happening can be minimized.  For me it is an acceptable risk.  By no
means am I going to say everyone should be running portsentry but again for
me it works and works well.  I am mainly interested in snort to fill in the
gaps that portsentry doesn't hit on in my configuration and that is ports
that are in use by services currently running on the server.  This way not
only do I get the logging and blocking on ports that people shouldn't be
hitting I should get logging on attempted exploits on services that are
running.

Bob

----- Original Message -----
From: "Jeff Nathan" <jeff at ...430...>
To: "Bob Staaf" <rstaaf at ...1457...>
Cc: "Fyodor" <fygrave at ...121...>; <Snort-users at lists.sourceforge.net>
Sent: Thursday, March 08, 2001 7:06 PM
Subject: Re: [Snort-users] Portsentry and Snort


> We've discussed this back and forth on the list for a long time.  There
> are very real risks with doing any form of autoblocking.  There are far
> too many variables in the world of network security to count on systems
> to intelligently and automatically block hosts or networks when said
> system believes it is under attack.  Either you'll forget the IP of an
> upstream router, the IPs of a-m.root-servers.net or something worse and
> DoS yourself.  Leave the blocking to your own intelligence and the
> detection to a mixture of systems and your own creative endeavors.
>
> -Jeff
>
>
> Bob Staaf wrote:
> >
> > It depends on how you have Portsentry configured.  There are provisions
for
> > an ignore file to add addresses not to trigger on.  The risk is someone
> > could block some legitimate users by spoofing their addresses.  I have
to
> > disagree with the statement that portsentry is "crap".  It is a
different
> > animal than snort and I believe I have a place for both in my network.
> >
> > Bob
> >
> > ----- Original Message -----
> > From: "Fyodor" <fygrave at ...121...>
> > To: <Snort-users at lists.sourceforge.net>
> > Sent: Wednesday, March 07, 2001 5:45 PM
> > Subject: Re: [Snort-users] Portsentry and Snort
> >
> > > On Wed, Mar 07, 2001 at 03:42:45PM +0100, Ralf Hildebrandt wrote:
> > > > On Wed, Mar 07, 2001 at 09:07:32AM -0500, Bob Staaf wrote:
> > > >
> > > > >      Is anyone out there running Snort and Portsentry together?
The
> > problem
> > > > > I am having is that Portsentry blocks port scans before Snort can
even
> > see
> > > > > them.
> > > >
> > > > Frankly, I'd say portsentry is crap. If you really insist on adding
> > "drop"
> > > > routes for IP's offending your server, you can do that with snort
(at
> > least
> > > > I think one can execute programs as a response to triggering of a
rule).
> > > >
> > >
> > > Well, actually I could do worse, if it is reacting on UDP portscans
and
> > sets up routes
> > > to block the sender, I could easily lock-up your network completely.
> > Having 'reactive capabilities'
> > > like this in IDS is highly unrecommended.
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
>
> --
> http://jeff.wwti.com            (pgp key available)
> "Common sense is the collection of prejudices acquired by age eighteen."
> - Albert Einstein
>





More information about the Snort-users mailing list