On Thu, Jul 31, 2003 at 08:42:27AM -0400, Chris Shepherd wrote: > Quoting Rodrigo Barbosa <rodrigobat_private>: > > You are right, of course. The thing I'm attempting is to make them > > hit my traps faster, so I can react faster. And, as I said, I don't > > think we should use the same method everywhere. Sametime I use > > DROP, sometimes I use tcp-reset and sometimes, icmp-replies. > > > > As far as I got from this discussion, every method is about as good > > as the other. All have advantages and problems. The real question is > > how to balance them all to have the most benefits of each one of them. > > Care to comment on this one ? > > In this case, it may make sense to keep your traps on a honeypot box. I'm having > a bit of a difficult time understanding exactly what you mean by 'hit my traps > faster, so I can react faster'. React how? What would your reaction to a port > scan be? If you cite an example, I'll probably have a much clearer idea about > what kinds of traps you're talking about. :) Errr, filter the address or network on the border router ? That is one. Contact the admin of the network about the scan is another. []s -- Rodrigo Barbosa <rodrigobat_private> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 13:43:21 PDT