Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stopping portscanning

From: twig les <twigles () yahoo com>
Date: Fri, 7 Mar 2003 09:59:13 -0800 (PST)
Stateful inspection/NAT at the border works well, although not
always feasible.  We also end almost all of our Cisco acls with
a "deny ip any any log" and that helps too.  I don't see Snort
doing this very well, especially because of the high rate of
false positives in this area.



--- Max Lopez <mlopez () itesm mx> wrote:

Hi:

I am using Snort to detect Kazaa and Gnutella trafic, and to
send a TCP Reset 
to both IPs when the Snort detects the traffic, we have been
able to lower 
the traffic in our "Internet 2" serial (E3-34mbps) from
10-12mbps to 1-2 
mbps.

Now I am seeing a lot of portscans, so I am looking for some
way to stop that 
portscanning, I am not sure if there is some way to send
TCP_RESETs or 
HOST_UNREACHABLE icmp's.. do you have any way of stopping
those scans??

Thanks a lot.

-- 

Max Lopez
Departamento de Redes Corporativo
ITESM Sistema
Tel. (81) 8358-2000  ext. 4136
Fax. (81) 8328-4208
Monterrey Mexico.


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView,
The debugger 
for complex code. Debugging C/C++ programs can leave you
feeling lost and 
disoriented. TotalView can help you find your way. Available
on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: