[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?

Alberto Gonzalez albertg at ...8504...
Wed Apr 23 08:54:08 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


You can go ahead and do that, I personally don't see much of a problem. 
You can check your logs for connects to SSH that didn't provide correct 
protocol version credentials (banner grabbing?). 

<example>

Apr 23 10:50:49 cerebro sshd[7892]: Bad protocol version identification '' from 127.0.0.1

</example> 

Something like that might indicate that someone just wanted the SSH 
banner. 

HTH

 Cheers,
 Alberto Gonzalez 

On Wed, 23 Apr 2003, Edin Dizdarevic wrote:

> 
> Hi everybody,
> 
> I was wondering if it would make sense to relief Snort by taking
> out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> usually quite big and looking inside of them is quite senseless for
> obvious reasons. With SSH stream4 is additionally burdened since those
> packets are usually quite small and are filling up it's memory waiting
> to be reassembled. Senseless too, IMHO...
> 
> Of course scans won't be seen, but is that really important since
> a simple connect scan will find those ports open?
> 
> Any comments on that?
> 
> Regards,
> 
> Edin
> 
> 

- -- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+prbma3vAB/3yp/IRAsvdAJ4hESgwYqL7E3s5eQmuVQoXaM4n1QCgtEX5
eqE3pcXO6/5hVnuUKrq5qQw=
=CnzA
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list