Snort mailing list archives

RE: Nmap

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 19 Nov 2003 14:05:39 -0500

At 01:02 PM 11/19/2003, bmcdowell () coxhealthplans com wrote:

You know what, I just realized that I do do some filtering based on thesource port: outbound filtering. E.g.
iptables -A FORWARD -s [webserver] --sport ! 80 -j DROP

There isn't anything wrong with doing that, is there?

Not terribly.. an attacker can evade that rule by taking your webserverdown and using port 80 as the source port when doing a connection to anoutside server. Note that there's no stateful inspection here, so the rulewon't stop an outbound connection from port 80 on your webserver to anoutside ftp server to download some added rootkit tools.

But it's a handy way to stop most automated worms from spreading out,should one get into your webserver.





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nmap Gerson Sampaio (Nov 14)
- Re: Nmap Matt Kettler (Nov 14)
  - Re: Nmap Mark Fagan (Nov 15)
    - Re: Nmap Matt Kettler (Nov 18)
    - Re: Nmap Mark Fagan (Nov 19)
    - Re: Nmap Matt Kettler (Nov 19)
- <Possible follow-ups>
- RE: Nmap Esler, Joel - Contractor (Nov 17)
- RE: Nmap MH (Nov 17)
- RE: Nmap bmcdowell (Nov 19)
  - Message not available
    - RE: Nmap Matt Kettler (Nov 19)
- RE: Nmap Marc Quibell (Nov 20)