[plug] Active response IDSs?

bob bob at fots.org.au
Sat Aug 3 11:01:41 WST 2002 

On Sat, 2002-08-03 at 02:10, Craig Ringer wrote:
> bob wrote:
> 
> >Anyone have anything they care to share regarding active response IDSs?
> >I seem to be being hammered a bit at the moment and was wondering if
> >there was anything decent in the way of IDS responses.
> >
> Portsentry is the only one I've personally tried, but I ended up 
> ditching it in favour of a passive setup of paranoid iptables blocks and 
> logging. I was running it on a firewall, though, where its usefulness is 
> questionable (if you're running no services and dropping all unrequested 
> packets from the outside world, what good does an active response IDS do 
> you?) Perhaps there's something I'm missing, but portsentry wouldn't 
> even get the packets on a firewall configured to drop external incoming 
> traffic not associated with an (internally initiated) connection, would it?

Ok, this is probably just me being paranoid but if "they" are sniffing
around on random ports I figure they're looking for 'sploits. What I was
hoping to find was something like... IP# sniffs at blocked port# that is
a known hole, IDS takes note of that being logged and adds iptables rule
that drops IP# period. That way they don't get to try stuff on ports
that are open... though thinking about it if an evil h4><3r has a brand
new 'sploit for say apache they're going to go straight for the kill and
not poot around poking ports :( so they skirt the whole drop IP# thing.

Speaking of "they" I'm about ready to drop all of ifrance.com just on
principle.

<accent="loud tourist">
Relay est vou ici, NON!
</accent>
 
> Oh yeah, I know bugger all about internet security, IDSes, etc so this 
> is purely personal experience etc.
> 
> >And what are they looking for on port 33575?
> >
> http://www.google.com/search?q=port+33357
> #1 result:
> Auld Holland Inn *33575* Hwy 20 Oak Harbor
> 
> hmm... no go from google *grin*
> Perhaps its a misconfigured tool or maybe a port pulled out of a hat 
> that the source is using on the assumption that its _not_ special, say 
> to check how/if the host firewalls high ports w/o listening servers? 
> just guessing here, knowledge of this specific case == nil. Hell, maybe 
> its a type^Ho.

Well they were pretty insistent, a couple of hundred attempts over 3 hrs
or so. I thought it might be some back orifice type of thing. I checked
google as well and came up empty... Something weird :).
 
> Umm... on that note I think its time to go to bed - been up too late 
> playing with my new DVD-ROM and TV-Out stuff *grin*...

Mmmm... toys :)

-- 
bob
Cave canem...te necet lingendo.

More information about the plug mailing list