Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: blocking nmap -P0 attack

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Jan 2005 17:05:56 -0500
At 04:52 PM 1/10/2005, Frank Knobbe wrote:

On Mon, 2005-01-10 at 15:24 -0500, Matt Kettler wrote:
> Snortsam is really best at blocking attacks and fast running scans by=20
> worms. It's not very good at stopping a diligent person from doing a=20
> slow-speed nmap.

Unless you block him for a week or two  ;)

Cheers,
Frank


True.. I was mostly speaking from the 2-10 min block that the poster was using.
But you are correct, as long as your block period is greater than the attackers scan duration you're OK.
(and if your snort sensor is in front of the firewall instead of behind it, you can reduce that to being greater than their packet-that-generates-alarm duration)
But in general, as long as you have a finite block duration, they can always run their scans slower to get around it, but that's a bit of a very slow guessing game if the time is large. Working around someone with a 1 week block duration is pretty much hopeless unless you use a distribution of sources (ie: a botnet) 



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: