Snort mailing list archives
RE: Nmap
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Nov 2003 14:05:39 -0500
At 01:02 PM 11/19/2003, bmcdowell () coxhealthplans com wrote:
You know what, I just realized that I do do some filtering based on the source port: outbound filtering. E.g.iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP There isn't anything wrong with doing that, is there?
Not terribly.. an attacker can evade that rule by taking your webserver down and using port 80 as the source port when doing a connection to an outside server. Note that there's no stateful inspection here, so the rule won't stop an outbound connection from port 80 on your webserver to an outside ftp server to download some added rootkit tools.
But it's a handy way to stop most automated worms from spreading out, should one get into your webserver.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nmap Gerson Sampaio (Nov 14)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
- Message not available
- RE: Nmap Matt Kettler (Nov 19)
- Message not available