View Single Post
  #5   (View Single Post)  
Old 13th March 2014
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

Quote:
There is no "stealth" mode on the Internet, regardless what you may have read == all ports for all IP addresses are scanned constantly. This is the world we live in.
Dang.... they can make stealth aircraft but not networks :-( (though I think the F117's got phased out because people managed to detect them....)


Quote:
You cannot stop scanning from happening. You can only stop your IDS from seeing the scans or screaming about them.
Yeah.... I guess I'll just have to do that.

Quote:
In my case, as I noted above, due to block return rules, TCP scans to "closed" ports will receive an RST packet. I'm nice, that way. Mostly, because I want remote applications to be able to act on a connection failure immediately, and not undergo timeout handling, which I consider rude.
I set my PF rules up that way too.....


Actually this all came about as I was trying to integrate Snort into the network. Having tested it for a while I started to see a pattern of "false positives" so I'm currently in the 'tweaking' stage to get what I need out of it.

Though it's quite scary to see Snort reporting "Torjan-activity" or "Web application attack".... need to do more reading and more looking at tcpdump/wireshark output.
Reply With Quote