[Snort-users] Nmap

Marc Quibell mquibell at ...7759...
Thu Nov 20 07:22:04 EST 2003



Er..maybe the webserver communicates with other servers on another port? Like
directory services...etc? I suppose it depends on where the firewall is, and
where ther other internal servers are..etc.
I dunno, but I have this nagging feeling that source-port filtering really
doesn't accomplish much. I mean, today's attacks occur on the public ports, such
as port 80, 443, 21...etc. What you're doing is introducing outbound header
inspection, just to avoid the server responding from any other port besides 80.
What is the purpose of this anyways?

Cheese,

Marc



>--__--__--

>Message: 4
>Subject: RE: [Snort-users] Nmap
>Date: Wed, 19 Nov 2003 12:02:31 -0600
>From: <bmcdowell at ...7861...>
>To: <snort-users at lists.sourceforge.net>


>You know what, I just realized that I do do some filtering based on the =
>source port:  outbound filtering.  E.g.

>iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP

>There isn't anything wrong with doing that, is there?


>Bob






More information about the Snort-users mailing list