Re: detecting portscanning

To: Peter Hicks <peter@geoworks.com>, <debian-security@lists.debian.org>
Subject: Re: detecting portscanning
From: Tim Uckun <tim@diligence.com>
Date: Thu, 24 May 2001 15:47:33 -0600
Message-id: <5.0.0.25.2.20010524154625.00aeab40@mail.diligence.com>
In-reply-to: <01052414230408.25290@corum>
References: <Pine.LNX.4.33.0105242255320.7810-100000@zeus.rug.ac.be> <Pine.LNX.4.33.0105242255320.7810-100000@zeus.rug.ac.be>

The problem with portsentry is that it binds to all the ports you are
watching, so people that are scanning actually see those ports open. It is
better to use snort, which will let you know that the scans have happened
without the attacker being aware.

Although it binds to all the ports portsentry can blackhole the scanner assoon as it detects it with an IP chains rule. Once the user starts a scanthey will be immediately blackholed and will never even complete the scan.




:wq
Tim Uckun

Due Diligence Inc. http://www.diligence.com/ Americas BackgroundInvestigation Expert.If your company isn't doing background checks, maybe you haven't consideredthe risks of a bad hire.

Reply to:

Follow-Ups:
- Re: detecting portscanning
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

References:
- Re: detecting portscanning
  - From: Rudy Gevaert <webworm@zeus.rug.ac.be>
- Re: detecting portscanning
  - From: Peter Hicks <peter@geoworks.com>

Prev by Date: Re: detecting portscanning
Next by Date: RE: detecting portscanning
Previous by thread: Re: detecting portscanning
Next by thread: Re: detecting portscanning
Index(es):
- Date
- Thread