On Fri, Mar 05, 2004 at 01:39:45PM -0800, Jon Goode wrote:
> Has anyone considered setting up snort to detect network scans from external
> networks, then automatically having nessus 'retaliate' a scan and post the
> results of the offending machine? Or could this loop? :)
I'd strongly advise against that. IDSes tend to produce false positives,
the default ruleset of snort triggers alerts on things which are not
attacks (ie: accessing robots.txt), the legality of this process is
highly debatable and in the end there's very little value for you to do
that (apart from a little initial satisfaction).
Not to mention that as soon as Linux zealots/integrists know that your
network "retaliates" to attacks, they'll be more than happy to scan your
whole subnet with a spoofed IP of '216.250.128.12' and watch the results,
thinking they've made a difference :)
-- Renaud
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
