Hi, On Tuesday 01 July 2003 17:46, josh wrote: > > Your IDS will not block a simple connect scan (AFAIR snort does not save > > packets and does not know that this is the 10,000th port in a row you are > > trying to reach) > > FYI the portscan2 preprocessor on snort 2.0 tracks connection states.
My knowledge is based on the previous version of snort, so I may be wrong, BUT: connection states will not really help you here, since the basic "connect" scan will open the port, close it, and then go to the next port. The connection state will be cleared and unless snort saves the fact that a port was opened (and closed). I find it hard to believe that snort records that information (but again: I could be wrong). If you want that functionality, google for "portsentry". -- - Aviram ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
