|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Utopian Admin (admin
utopia2.com)Date: Tue Mar 06 2001 - 18:29:35 CST
Is it possible portsentry intercepted the "attack" before snort got a chance
to? I know portsentry can block via "route reject" and TCP wrappers.
Mike.
-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Bob Staaf
Sent: Tuesday, March 06, 2001 2:52 PM
To: Snort-userslists.sourceforge.net
Subject: [Snort-users] Bind Attack (newbie alert)
Hello all,
Been running snort for a few hours now and ran into the following
situation. I also run Portsentry on this server and it caught a portscan on
bind. However, snort did not catch it.
Mar 6 15:13:48 swshost portsentry[573]: attackalert: UDP scan from host:
216.219.244.113/216.219.244.113 to UDP port: 53
Mar 6 15:13:48 swshost portsentry[573]: attackalert: Host:
216.219.244.113/216.219.244.113 is already blocked Ignoring
Any help in pointing me to the right places in my snort config to
troubleshoot this would be much appreciated!
Thanks
Bob
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]