[techtalk] Better snort/logcheck reporting - portsentry
Erin Clarke
blue at web.net
Sun Apr 22 19:53:58 EST 2001
On Sat, Apr 21, 2001 at 11:43:19PM -0700, Nicole Zimmerman wrote:
> You might also check out 'portsentry': it looks for port scans on specific
> ports so you don't have to get all of the other traffic as well. Snort is
> good for all around stuff.
portsentry is great, not least because its free...
http://www.psionic.com/abacus/portsentry/
It is easy to install, configure and run. I like to
set it up to create a 'blackhole' route for any IP
address that is the source of a scan. It can also be
configured to send email and to run whatever scripts
and programs of your choosing when whatever scanning
activity is detected (the use of retaliatory scripts
and programs are, of course, discouraged).
It also works well with a firewall, was, in fact,
designed to do just that.
We use it at work, too, and its quite amusing when a
*customer* calls up wondering why they can't get to
their website and they are asked if they have port
scanned the machine their site is on. [=^J
Erin 8)
More information about the Techtalk
mailing list