Re: Active Snort Log Analyser
> why do you allow anything beside the 'normal things' if you have to
> block it on 'attack'? most would think a firewall setup doesn't
> allow anything beside the needed and therefore has nothing to block
> on demand beside that.
You're right and I already block unusual things...
So, how can I block the attack once I've detected the scan ?
> someone can perform a DoS against the access to your service for a
> third party by triggering your blocking with spoofed packets.
Right again ! And again, how can I prevent this from occuring ?
Well, thanks for opening my eyes, I see this is not as simple as denying access.
I'm about to try portsentry as I talk and it seems to stop the attacker before
he starts the attack: when he tries to scan the FireWall.
JF.
Reply to: