[Snort-users] Snortsam / Portscanning Detection

christian graf cg at ...10864...
Wed Dec 31 07:39:06 EST 2003

Hi Tuomas,

active blocking of portscans can get you in big trouble, as it is very
easy spoof the machine-src-adr.
Just 2 examples:

1) using the decoys in e.g. nmap
nmap can hide its own scan with some decoy-hosts, means those hosts must
exist and be reachable. Your PIX will LOG all the decoys (because their
adresses ahve been spoofed by the nmap-guy). If you are now blocking the
scanning-guys you will mistakingly block the decoys too.

2) if the attacker is driving a idle-scan

in short, using this technique the guy who is driving the scan "NEVER"
sends any packet during the scan to your pix. All packets you are seeing
is from the zombie-host. And therefor you will block the zombie.

If somebody wants to harm you, both versions (idle-scan / decoys) are
just fine to let you block anything the attacker wants!  

So take care when you are implementing any active-features - it may be
used against yourself.



Am Mo, den 29.12.2003 schrieb Tuomas Groves um 20:45:
> Hey everyone,
> I was going to try to get our PIX firewall setup with snort / snortsam 
> and I had a question. We are interested in having the firewall block the 
> offending IP address when we receive a portscan, but I could not figure 
> out where we should place the "fwsam: src, 5 minutes;" entry. Because in 
> snort 2.1.0, I do not know about previous versions, the portscanning 
> detection is a preprocessor. If I set the "output-mode" to "pktkludge" I 
> can see it in the alerts database and everything, but as I said, I have 
> no idea how to set a different output plug-in for this. That is if it 
> can even currently be done. Any help would be greatly appreciated.
>    Tuomas Groves
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list