[Snort-users] Nmap

Matt Kettler mkettler at ...4108...
Wed Nov 19 11:05:03 EST 2003


At 01:02 PM 11/19/2003, bmcdowell at ...7861... wrote:
>You know what, I just realized that I do do some filtering based on the 
>source port:  outbound filtering.  E.g.
>
>iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP
>
>There isn't anything wrong with doing that, is there?

Not terribly.. an attacker can evade that rule by taking your webserver 
down and using port 80 as the source port when doing a connection to an 
outside server. Note that there's no stateful inspection here, so the rule 
won't stop an outbound connection from port 80 on your webserver to an 
outside ftp server to download some added rootkit tools.

But it's a handy way to stop most automated worms from spreading out, 
should one get into your webserver.






More information about the Snort-users mailing list