Re: Active Snort Log Analyser

To: debian-firewall@lists.debian.org
Subject: Re: Active Snort Log Analyser
From: Jörn Engel <joern@wohnheim.fh-wedel.de>
Date: Tue, 7 Nov 2000 14:57:08 +0100
Message-id: <[🔎] 20001107145708.B27149@wohnheim.fh-wedel.de>
In-reply-to: <[🔎] 973592877.3a07d92d72c0b@imp.free.fr>; from jfjoly@free.fr on Tue, Nov 07, 2000 at 11:27:57AM +0100
References: <[🔎] 973589264.3a07cb10934be@imp.free.fr> <[🔎] 20001107110822.U13007@faveve.uni-stuttgart.de> <[🔎] 973592877.3a07d92d72c0b@imp.free.fr>

Hi!

> You're right and I already block unusual things...
> So, how can I block the attack once I've detected the scan ?

I don't really see your problem here. Your firewall either is secure or it
is not. If it is not, you should not increase security for some short
period, you should increase it for ever. If it is secure, you can sit back
and watch the scan since it cannot harm you.

When is your firewall secure? When you don't allow anything that you don't
explicitly want to be allowed. Forbid everything and take your time before
making the exceptions. Really think about them and keep in mind that every
opening means another possibly buggy service is prone to attacks.

If you do this and you do this well, you're through. Portscans mean no harm
anymore, unless someone uses them as a DoS-Attack on you log partition.

It is this simple.

Jörn

Reply to:

Follow-Ups:
- Re: Active Snort Log Analyser
  - From: Jean-François JOLY <jfjoly@free.fr>

References:
- Active Snort Log Analyser
  - From: jfjoly@free.fr
- Re: Active Snort Log Analyser
  - From: Helmut Springer <delta@FaVeVe.Uni-Stuttgart.de>
- Re: Active Snort Log Analyser
  - From: jfjoly@free.fr

Prev by Date: Re: Active Snort Log Analyser
Next by Date: Re: Active Snort Log Analyser
Previous by thread: Re: Active Snort Log Analyser
Next by thread: Re: Active Snort Log Analyser
Index(es):
- Date
- Thread