Re: Scan of TCP 552-554

• Previous message: Stuart: "RE: Exploit for Windows RPC may be in the wild!"
• In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Next in thread: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
• Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Rodrigo Barbosa <rodrigobat_private>:
> You are right, of course. The thing I'm attempting is to make them
> hit my traps faster, so I can react faster. And, as I said, I don't
> think we should use the same method everywhere. Sametime I use
> DROP, sometimes I use tcp-reset and sometimes, icmp-replies.
>
> As far as I got from this discussion, every method is about as good
> as the other. All have advantages and problems. The real question is
> how to balance them all to have the most benefits of each one of them.
> Care to comment on this one ?

In this case, it may make sense to keep your traps on a honeypot box. I'm having
a bit of a difficult time understanding exactly what you mean by 'hit my traps
faster, so I can react faster'. React how? What would your reaction to a port
scan be? If you cite an example, I'll probably have a much clearer idea about
what kinds of traps you're talking about. :)

--
Chris Shepherd



---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Sam Baskinger: "Re: Command Line RPC vulnerability scanner?"
• Previous message: Stuart: "RE: Exploit for Windows RPC may be in the wild!"
• In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Next in thread: Nick Nauwelaerts: "RE: Scan of TCP 552-554"
• Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:54:54 PDT