Re: Taking out the traffic on ports 22 and 443 suggestive?

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi,

Alberto Gonzalez wrote:
> You can go ahead and do that, I personally don't see much of a problem. 

... in doing it, I suppose.

> You can check your logs for connects to SSH that didn't provide correct 
> protocol version credentials (banner grabbing?). 
>
> <example>
>
> Apr 23 10:50:49 cerebro sshd[7892]: Bad protocol version identification '' from 127.0.0.1
>
> </example> 
>
> Something like that might indicate that someone just wanted the SSH 
> banner. 

We should all have logsurfer running anyway... ;)

Regards,

Edin


> HTH
>
>  Cheers,
>  Alberto Gonzalez 
>
> On Wed, 23 Apr 2003, Edin Dizdarevic wrote:
>
>
> > Hi everybody,
> >
> > I was wondering if it would make sense to relief Snort by taking
> > out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> > usually quite big and looking inside of them is quite senseless for
> > obvious reasons. With SSH stream4 is additionally burdened since those
> > packets are usually quite small and are filling up it's memory waiting
> > to be reassembled. Senseless too, IMHO...
> >
> > Of course scans won't be seen, but is that really important since
> > a simple connect scan will find those ports open?
> >
> > Any comments on that?
> >
> > Regards,
> >
> > Edin

-- 
Edin Dizdarevic



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users