[plug] Active response IDSs?
Craig Ringer
craig at postnewspapers.com.au
Sat Aug 3 02:10:14 WST 2002
bob wrote:
>Anyone have anything they care to share regarding active response IDSs?
>I seem to be being hammered a bit at the moment and was wondering if
>there was anything decent in the way of IDS responses.
>
Portsentry is the only one I've personally tried, but I ended up
ditching it in favour of a passive setup of paranoid iptables blocks and
logging. I was running it on a firewall, though, where its usefulness is
questionable (if you're running no services and dropping all unrequested
packets from the outside world, what good does an active response IDS do
you?) Perhaps there's something I'm missing, but portsentry wouldn't
even get the packets on a firewall configured to drop external incoming
traffic not associated with an (internally initiated) connection, would it?
Oh yeah, I know bugger all about internet security, IDSes, etc so this
is purely personal experience etc.
>And what are they looking for on port 33575?
>
http://www.google.com/search?q=port+33357
#1 result:
Auld Holland Inn *33575* Hwy 20 Oak Harbor
hmm... no go from google *grin*
Perhaps its a misconfigured tool or maybe a port pulled out of a hat
that the source is using on the assumption that its _not_ special, say
to check how/if the host firewalls high ports w/o listening servers?
just guessing here, knowledge of this specific case == nil. Hell, maybe
its a type^Ho.
Umm... on that note I think its time to go to bed - been up too late
playing with my new DVD-ROM and TV-Out stuff *grin*...
More information about the plug
mailing list