[techtalk] Better snort/logcheck reporting - portsentry

[Erin Clarke]

On Sun, Apr 22, 2001 at 08:35:47PM -0400, Kath wrote:
> Will portsentry automatically add the blackhole route?

If you configure it to, yes. It is an 
option in the config file. 

> I'd rather manually add it, because sometimes I run portscans and even
> attacks on my own machines to check for vulnerabilities.

You can just have portsentry email you 
instead and you can add the routes 
yourself, or you can just disable that 
feature when you do your own port scans.
Its as simple as commenting it out in 
the config file...

> Also, is there any security mailing lists I should be on?  I just signed up
> for the debian security annoucements and discussion list.

I highly recommend bugtraq
http://www.securityfocus.com/

and CERT
http://www.cert.org/

as well as any related to your OS and 
important server software.

Erin  8)

> ----- Original Message -----
> From: "Erin Clarke" <blue at web.net>
> 
> 
>>On Sat, Apr 21, 2001 at 11:43:19PM -0700, Nicole Zimmerman wrote:
>>> You might also check out 'portsentry': it looks for port scans on
> specific
>>> ports so you don't have to get all of the other traffic as well. Snort
> is
>>
>>portsentry is great, not least because its free...
>>
>>http://www.psionic.com/abacus/portsentry/
>>
>>It is easy to install, configure and run. I like to
>>set it up to create a 'blackhole' route for any IP
>>address that is the source of a scan. It can also be
>>configured to send email and to run whatever scripts
>>and programs of your choosing when whatever scanning
>>activity is detected (the use of retaliatory scripts
>>and programs are, of course, discouraged).
>>
>>It also works well with a firewall, was, in fact,
>>designed to do just that.
>>
>>We use it at work, too, and its quite amusing when a
>>*customer* calls up wondering why they can't get to
>>their website and they are asked if they have port
>>scanned the machine their site is on. [=^J
>>
>>Erin  8)