On Tuesday 01 July 2003 14:43, Mycroft wrote: > On Tuesday 01 July 2003 10:13, Tzafrir Cohen wrote: > > TC>What happens if I spoof a portscan from a different address? Do you > TC>block it? Now what was the IP of your DNS server? > TC> > That's what the "preprocessor portscan2-ignorehosts:" and "preprocessor > portscan-ignorehosts:" sections in the /etc/snort/snort.conf file are for.
I hope you have there: - Your DNS's - Gateway address - All internal network addresses - Your SMTP Server, redhat updates server and any other server you connect to directly - All SMTP servers that connect to your network to send you emails (hotmail.com has at least several dozen such IPs) - localhost, all local interface address - possibly other servers you connect to directly and I didn't think of (if my irony went undetected, I would really recommend against this hair-triggered blocking system) > The issue of spoofed scan isn't really a big deal at all as you can't get > the results of the scan delivered to your box. "Idle" scan won't work here > either because my ISP's DNS servers are far from being idle with all the > traffic going through. Basically the result of idle scan will be that all > possible ports are open, that if the scanner itself will not warn you that > the IP sequence numbers are not exactly close enough to each other. > Comments? "Idle scan" will actually work quite nicely here (I'm sure one of the servers written above has its idle moments), but that's not the way I would approach it as an attacker. Your IDS will not block a simple connect scan (AFAIR snort does not save packets and does not know that this is the 10,000th port in a row you are trying to reach) and even if it would, it is usually possible to evade it by scanning slowly enough. -- - Aviram ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
