Snort mailing list archives
Re: Firewall stopping detection?
From: "J. C. Woods" <drjung () sprynet com>
Date: Mon, 20 Aug 2001 14:54:51 -0500
Matthew Collins wrote:
Do you have a rule that detects NetBIOS Connections? That is what grc.com checks for. Not a lot of use against Debian (unless you are running samba).David Findlay <david_j_findlay () yahoo com au> 20/08/01 12:46:09 >>>I have just install snort from Debian Unstable, and customised the configf ile to suit my system. I then went to grc.com and used the probe my portst hing, to see if snort would detect it, but I get nothing in the logs. I have a firewall using ipchains, which blocks all connections except for stuff iniated from inside. How do i get snort to still detect attack attempts coming in? Thanks, David P.S. Please CC me your reply as I am not a subscriber to the list. Thanks :-)
Whoa, now I am confused (no big deal)! grc.com will conduct a limited portscan on about six or seven privileged ports. This is a attempt, by grc.com, to connect to such ports as port 21, port 80, port 110, etc. Now, this portscan has nothing to do with port 137 or 138. It is a regular portscan in the mode of "nmap". grc.com does do a "shield check" that will also check out your NetBIOS connections, if running. Whenever I have used the grc.com portscan, snort does indeed pick it up.... drjung -- J. Craig Woods UNIX SA -Art is the illusion of spontaneity- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Firewall stopping detection? David Findlay (Aug 20)
- Re: Firewall stopping detection? John Sage (Aug 20)
- <Possible follow-ups>
- Re: Firewall stopping detection? Matthew Collins (Aug 20)
- Re: Firewall stopping detection? J. C. Woods (Aug 20)