[plug] Active response IDSs?
bob
bob at fots.org.au
Sat Aug 3 11:01:41 WST 2002
On Sat, 2002-08-03 at 02:10, Craig Ringer wrote:
> bob wrote:
>
> >Anyone have anything they care to share regarding active response IDSs?
> >I seem to be being hammered a bit at the moment and was wondering if
> >there was anything decent in the way of IDS responses.
> >
> Portsentry is the only one I've personally tried, but I ended up
> ditching it in favour of a passive setup of paranoid iptables blocks and
> logging. I was running it on a firewall, though, where its usefulness is
> questionable (if you're running no services and dropping all unrequested
> packets from the outside world, what good does an active response IDS do
> you?) Perhaps there's something I'm missing, but portsentry wouldn't
> even get the packets on a firewall configured to drop external incoming
> traffic not associated with an (internally initiated) connection, would it?
Ok, this is probably just me being paranoid but if "they" are sniffing
around on random ports I figure they're looking for 'sploits. What I was
hoping to find was something like... IP# sniffs at blocked port# that is
a known hole, IDS takes note of that being logged and adds iptables rule
that drops IP# period. That way they don't get to try stuff on ports
that are open... though thinking about it if an evil h4><3r has a brand
new 'sploit for say apache they're going to go straight for the kill and
not poot around poking ports :( so they skirt the whole drop IP# thing.
Speaking of "they" I'm about ready to drop all of ifrance.com just on
principle.
<accent="loud tourist">
Relay est vou ici, NON!
</accent>
> Oh yeah, I know bugger all about internet security, IDSes, etc so this
> is purely personal experience etc.
>
> >And what are they looking for on port 33575?
> >
> http://www.google.com/search?q=port+33357
> #1 result:
> Auld Holland Inn *33575* Hwy 20 Oak Harbor
>
> hmm... no go from google *grin*
> Perhaps its a misconfigured tool or maybe a port pulled out of a hat
> that the source is using on the assumption that its _not_ special, say
> to check how/if the host firewalls high ports w/o listening servers?
> just guessing here, knowledge of this specific case == nil. Hell, maybe
> its a type^Ho.
Well they were pretty insistent, a couple of hundred attempts over 3 hrs
or so. I thought it might be some back orifice type of thing. I checked
google as well and came up empty... Something weird :).
> Umm... on that note I think its time to go to bed - been up too late
> playing with my new DVD-ROM and TV-Out stuff *grin*...
Mmmm... toys :)
--
bob
Cave canem...te necet lingendo.
More information about the plug
mailing list