[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?

Edin Dizdarevic edin.dizdarevic at ...7509...
Wed Apr 23 09:07:03 EDT 2003


Hi,

Alberto Gonzalez wrote:
> 
> You can go ahead and do that, I personally don't see much of a problem. 

... in doing it, I suppose.

> You can check your logs for connects to SSH that didn't provide correct 
> protocol version credentials (banner grabbing?). 
> 
> <example>
> 
> Apr 23 10:50:49 cerebro sshd[7892]: Bad protocol version identification '' from 127.0.0.1
> 
> </example> 
> 
> Something like that might indicate that someone just wanted the SSH 
> banner. 

We should all have logsurfer running anyway... ;)

Regards,

Edin


> 
> HTH
> 
>  Cheers,
>  Alberto Gonzalez 
> 
> On Wed, 23 Apr 2003, Edin Dizdarevic wrote:
> 
> 
>>Hi everybody,
>>
>>I was wondering if it would make sense to relief Snort by taking
>>out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
>>usually quite big and looking inside of them is quite senseless for
>>obvious reasons. With SSH stream4 is additionally burdened since those
>>packets are usually quite small and are filling up it's memory waiting
>>to be reassembled. Senseless too, IMHO...
>>
>>Of course scans won't be seen, but is that really important since
>>a simple connect scan will find those ports open?
>>
>>Any comments on that?
>>
>>Regards,
>>
>>Edin
>>
>>
> 
> 

-- 
Edin Dizdarevic





More information about the Snort-users mailing list