> Lemme do same diet-quoting here. > > You are right, of course. The thing I'm attempting is to make them > hit my traps faster, so I can react faster. And, as I said, I don't > think we should use the same method everywhere. Sametime I use > DROP, sometimes I use tcp-reset and sometimes, icmp-replies. How about ACCEPT? Now you, too, can appear to have 65536 opened ports! [http://www.sf.net/projects/protowatch/]. Obviously, this is serious honeypot-only material. Use this only on a dedicated machine. Said machine can be easily DOSd. It will also allow you to see really neat stuff. It found a compromized machine at my school spewing out packets *immediately*; just took me 2 extra hours to wake up. And then it took IT the better part of a week to pull the plug. Also, lots of the log entries are from compromized machines. Please be nice and email the owners. Justin --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 13:39:10 PDT