[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Active Snort Log Analyser

On Tue 2000-11-07 (11:27), jfjoly@free.fr wrote:
> So, how can I block the attack once I've detected the scan ?
either it is a scan or an attack.

if a scan could reveal information about your firewall which could
be used for an attack you've left the door open since anyone could
try a direct hit without scanning in advance, perform some scan you
don't notice or get some information otherwise.  and some more
serious attacker won't attack from any site visible in a scan before
as one doesn't wake the dog before sneaking in.

a scan eats local resources, so it might qualify as DoS (denial of
service) attack if done appropriately (IMHO idiotic for a scan, but
well), then your 'normal' DoS handling kicks in.

monitoring traffic and noticing scans is a source of information
about widely available or known tools, possibly compromised or
hostile sites, site visibility (never been scanned?  you're doing
something wrong: either noone sees you or you don't see nothing ;)

-- 
MfG/best regards, helmut springer
                                            delta@FaVeVe.Uni-Stuttgart.DE
	
                                        Life is a bitch and then you die.
Reply to: