[ previous ] [ next ] [ threads ]
 From:  "Tracy Phillips" <tracy dot phillips at weberize dot com>
 To:  "'Christiaens Joachim'" <jchristi at oce dot be>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PorSentry Feedback
 Date:  Thu, 23 Oct 2003 08:11:52 -0500
I have portsentry working... or at least I blocked myself out when I ran a
portscan :-)

Of course since there is no permanent file system (other than the floppy)
changes are lost once you reboot (which is not a bad thing sometimes).

I wonder how it would be to symlink the files to the floppy? Hmmmm. That may
have to come later as I am thinking of putting a Prelude sensor on next.


-----Original Message-----
From: Christiaens Joachim [mailto:jchristi at oce dot be] 
Sent: Thursday, October 23, 2003 4:01 AM
To: 'Tracy Phillips'; m0n0wall at lists dot m0n0 dot ch

A Yes from me!

I used the logsentry product (which is in fact nothing but a shell script)
for a long time, and was pleased with it.

It would be a great addition for m0n0wall.


-----Original Message-----
From: Tracy Phillips [mailto:tracy dot phillips at weberize dot com]
Sent: woensdag 22 oktober 2003 18:15
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] PorSentry Feedback



I would like to know what the list would think about implementing portsentry
into m0n0wall?




Psionic was purchased by Cisco so the link referenced in the article above
will lead you to Cisco.


This is from the readme of portsentry:


PortSentry is part of the Abacus Project suite of tools. The Abacus 

Project is an initiative to release low-maintenance, generic, and reliable

host based intrusion detection software to the Internet community. More

information can be obtained from http://www.psionic.com. 


PortSentry has a number of options to detect port scans, when it finds one

can react in the following ways:


            - A log indicating the incident is made via syslog()

            - The target host is automatically dropped into /etc/hosts.deny

              for TCP Wrappers

            - The local host is automatically re-configured to route all

              traffic to the target to a dead host to make the target system


            - The local host is automatically re-configured to drop all

              packets from the target via a local packet filter.



The purpose of this is to give an admin a heads up that their host is

being probed. There are similar programs that do this already (klaxon, 

etc.) We have added a little twist to the whole idea (auto-blocking), plus

extensive support for stealth scan detection.




I think this would be a great tool to be implemented on a firewall
(obviously Cisco does as well). It's a fairly lightweight program so it
should not take up much room.


I would like to get some feedback on the subject



Tracy Phillips

Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be