[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?
albertg at ...8504...
Wed Apr 23 08:54:08 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
You can go ahead and do that, I personally don't see much of a problem.
You can check your logs for connects to SSH that didn't provide correct
protocol version credentials (banner grabbing?).
Apr 23 10:50:49 cerebro sshd: Bad protocol version identification '' from 127.0.0.1
Something like that might indicate that someone just wanted the SSH
On Wed, 23 Apr 2003, Edin Dizdarevic wrote:
> Hi everybody,
> I was wondering if it would make sense to relief Snort by taking
> out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> usually quite big and looking inside of them is quite senseless for
> obvious reasons. With SSH stream4 is additionally burdened since those
> packets are usually quite small and are filling up it's memory waiting
> to be reassembled. Senseless too, IMHO...
> Of course scans won't be seen, but is that really important since
> a simple connect scan will find those ports open?
> Any comments on that?
"Success comes to the person who does today, what you are thinking of doing tomorrow."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Snort-users