Snort mailing list archives
Re: blocking nmap -P0 attack
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Jan 2005 17:05:56 -0500
At 04:52 PM 1/10/2005, Frank Knobbe wrote:
On Mon, 2005-01-10 at 15:24 -0500, Matt Kettler wrote: > Snortsam is really best at blocking attacks and fast running scans by=20 > worms. It's not very good at stopping a diligent person from doing a=20 > slow-speed nmap. Unless you block him for a week or two ;) Cheers, Frank
True.. I was mostly speaking from the 2-10 min block that the poster was using.But you are correct, as long as your block period is greater than the attackers scan duration you're OK.
(and if your snort sensor is in front of the firewall instead of behind it, you can reduce that to being greater than their packet-that-generates-alarm duration)
But in general, as long as you have a finite block duration, they can always run their scans slower to get around it, but that's a bit of a very slow guessing game if the time is large. Working around someone with a 1 week block duration is pretty much hopeless unless you use a distribution of sources (ie: a botnet)
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- blocking nmap -P0 attack N B (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)