Re: Scan of TCP 552-554
From: Chris Shepherd (chriss_at_whstuart.com)
Date: 07/31/03
- Previous message: Stuart: "RE: Exploit for Windows RPC may be in the wild!"
- In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Jul 2003 08:42:27 -0400 To: Rodrigo Barbosa <rodrigob@suespammers.org>
Quoting Rodrigo Barbosa <rodrigob@suespammers.org>:
> You are right, of course. The thing I'm attempting is to make them
> hit my traps faster, so I can react faster. And, as I said, I don't
> think we should use the same method everywhere. Sametime I use
> DROP, sometimes I use tcp-reset and sometimes, icmp-replies.
>
> As far as I got from this discussion, every method is about as good
> as the other. All have advantages and problems. The real question is
> how to balance them all to have the most benefits of each one of them.
> Care to comment on this one ?
In this case, it may make sense to keep your traps on a honeypot box. I'm having
a bit of a difficult time understanding exactly what you mean by 'hit my traps
faster, so I can react faster'. React how? What would your reaction to a port
scan be? If you cite an example, I'll probably have a much clearer idea about
what kinds of traps you're talking about. :)
-- Chris Shepherd --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Stuart: "RE: Exploit for Windows RPC may be in the wild!"
- In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
