From owner-freebsd-security  Sat Sep 15  7:18: 6 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id B89E837B409
	for <freebsd-security@FreeBSD.ORG>; Sat, 15 Sep 2001 07:17:59 -0700 (PDT)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id B80F21D14; Sat, 15 Sep 2001 16:16:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id 25724552A; Sat, 15 Sep 2001 16:16:27 +0200 (CEST)
Date: Sat, 15 Sep 2001 16:16:26 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: D J Hawkey Jr <hawkeyd@visi.com>
Cc: security at FreeBSD <freebsd-security@FreeBSD.ORG>
Subject: Re: portsentry's stealth mode - works under fBSD with ipf?
In-Reply-To: <20010915080246.A67204@sheol.localdomain>
Message-ID: <Pine.BSF.4.21.0109151556550.386-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, 15 Sep 2001, D J Hawkey Jr wrote:

In some article regarding usage of portsentry on FreeBSD it was also said
that stealth mode works only under Linux. It may be because of the fact,
that raw sockets code may be unportable (I read this yesterday in raw(7)
on Linux).

> By way of further explanation, the cron'd script analyzes the read in
> log entries for blocked source IPs that either hit on the box a smallish
> number of times, each hit within a defined frequency (port scans and DOS
> attempts), or hit on the box at all a larger number of times (for more
> general idiocies).
There's an add-on for snort, called Guardian that reads the alert log file
in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm
not sure if it supports ipf right now but should be easily hackable (it's
a Perl script). 

Personally, I'd rather use snort than portsentry since this is a more
flexible and powerful solution. And it can detect "stealth" port
scans under FreeBSD (verified personally). Basing on your description I
think it would suit your needs. See http://www.snort.org/

Regards,
Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message