OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bob Staaf (rstaafcfl.rr.com)
Date: Tue Mar 06 2001 - 19:40:14 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Mike,

         That is a good question. Portsentry is set up to block ports via TCP
    Wrappers. What do I do in this case? This would be fine if I was just
    interested in monitoring this server but, I have 2 other servers and I would
    like snort to be able to log any portscans to my network. I also do not
    want to disable portsentry. Anyone else out there running both?

    Thanks

    Bob

    ----- Original Message -----
    From: "Utopian Admin" <adminutopia2.com>
    To: "Bob Staaf" <rstaafcfl.rr.com>; <Snort-userslists.sourceforge.net>
    Sent: Tuesday, March 06, 2001 7:29 PM
    Subject: RE: [Snort-users] Bind Attack (newbie alert)

    > Is it possible portsentry intercepted the "attack" before snort got a
    chance
    > to? I know portsentry can block via "route reject" and TCP wrappers.
    >
    > Mike.
    >
    > -----Original Message-----
    > From: snort-users-adminlists.sourceforge.net
    > [mailto:snort-users-adminlists.sourceforge.net]On Behalf Of Bob Staaf
    > Sent: Tuesday, March 06, 2001 2:52 PM
    > To: Snort-userslists.sourceforge.net
    > Subject: [Snort-users] Bind Attack (newbie alert)
    >
    >
    > Hello all,
    >
    > Been running snort for a few hours now and ran into the following
    > situation. I also run Portsentry on this server and it caught a portscan
    on
    > bind. However, snort did not catch it.
    >
    > Mar 6 15:13:48 swshost portsentry[573]: attackalert: UDP scan from host:
    > 216.219.244.113/216.219.244.113 to UDP port: 53
    > Mar 6 15:13:48 swshost portsentry[573]: attackalert: Host:
    > 216.219.244.113/216.219.244.113 is already blocked Ignoring
    >
    > Any help in pointing me to the right places in my snort config to
    > troubleshoot this would be much appreciated!
    >
    > Thanks
    >
    > Bob
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users