Portsentry vs snort

To: <debian-security@lists.debian.org>
Subject: Portsentry vs snort
From: Andrew Pollock <andrew@andrew.net.au>
Date: Tue, 4 Sep 2001 10:06:42 +1000
Message-id: <[🔎] 200109040006.f8406gL1014645@daedalus.andrew.net.au>

Hi,

I'm currently running Portsentry on a box, and I've got it configured to add an
ipchains rule firewalling off all access to an IP that touches one of the ports
that Portsentry is listening on (after doing some sanity checks on where the
portscan/port access came from).

I find the way that Portsentry runs (listening on a whole pile of dummy ports)
reasonably unattractive, and I'd prefer to use snort to perform the same task if
possible.

Can snort be configured to call an external program when particular rules are
matched (or better still, when a portscan is detected)?

The resp and react rule keywords don't seem to quite cut it, and ideally I'd
like something real time, not something that trolls snort's logs every n minutes
and reacts retrospectively.

regards

Andrew

Reply to:

Prev by Date: Running/Compiling latest snort on potato
Next by Date: CODA + portmapper == insecure?
Previous by thread: Re: Running/Compiling latest snort on potato
Next by thread: CODA + portmapper == insecure?
Index(es):
- Date
- Thread