Re: portsentry's stealth mode - works under fBSD with ipf?

From: Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl)
Date: 09/15/01


Date: Sat, 15 Sep 2001 16:16:26 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: D J Hawkey Jr <hawkeyd@visi.com>

On Sat, 15 Sep 2001, D J Hawkey Jr wrote:

In some article regarding usage of portsentry on FreeBSD it was also said
that stealth mode works only under Linux. It may be because of the fact,
that raw sockets code may be unportable (I read this yesterday in raw(7)
on Linux).

> By way of further explanation, the cron'd script analyzes the read in
> log entries for blocked source IPs that either hit on the box a smallish
> number of times, each hit within a defined frequency (port scans and DOS
> attempts), or hit on the box at all a larger number of times (for more
> general idiocies).
There's an add-on for snort, called Guardian that reads the alert log file
in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm
not sure if it supports ipf right now but should be easily hackable (it's
a Perl script).

Personally, I'd rather use snort than portsentry since this is a more
flexible and powerful solution. And it can detect "stealth" port
scans under FreeBSD (verified personally). Basing on your description I
think it would suit your needs. See http://www.snort.org/

Regards,
Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message