Hi, first of all, I did not say that portsentry should be used. I said that it would be the same thing.
However as a quick reply said, that is the same as a denial of service. (Almost that is). A slow scan is not even caught by SNORT i believe, the only project I have seen being a really good one to find slow scans would be SPADE. This however if I am right is not a "to go product", with that said, I think there are a few things missing in there. I was looking at what you wanted, but came to a conclusion that there is not really a way of doing this, as it is a part of the protocol. That was of course only my own conclusion, which doesn't give you perfect answer. Kind regards Robert Karlsson -----Original Message----- From: Adam William Lydick [mailto:[EMAIL PROTECTED] Sent: Thursday, January 17, 2002 4:54 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [email protected] Subject: RE: How to avoid port scanners Would this have any effect on the more common case of attackers scanning for a single open port? Or a slower distributed scan? I don't believe I've ever seen a full portscan in my logs. They tend to be looking for the latest BIND/FTP/HTTP flaw. And mostly win32 worms at that :) Also - from the description on the website portsentry seems to work only on inactive ports... Adam On Thu, 17 Jan 2002 [EMAIL PROTECTED] wrote: > Hi, > > that would be portsentry > http://www.psionic.com/abacus/portsentry/ > > I also believe that there is a built in function in iptables doing this. > > Kind regards > Robert Karlsson
