From owner-freebsd-security  Fri Jul 17 09:34:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA09544
          for freebsd-security-outgoing; Fri, 17 Jul 1998 09:34:41 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from stingray.ivision.co.uk (stingray.ivision.co.uk [195.50.91.40])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA09538
          for <freebsd-security@freebsd.org>; Fri, 17 Jul 1998 09:34:37 -0700 (PDT)
          (envelope-from manar@ivision.co.uk)
Received: from pretender.ivision.co.uk [195.50.91.43] 
	by stingray.ivision.co.uk with smtp (Exim 1.62 #2)
	id 0yxDSf-0002Rc-00; Fri, 17 Jul 1998 17:34:21 +0100
Message-Id: <3.0.5.32.19980717173424.008b13c0@stingray.ivision.co.uk>
X-Sender: manarpop@stingray.ivision.co.uk
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 17 Jul 1998 17:34:24 +0100
To: freebsd-security@FreeBSD.ORG
From: Manar Hussain <manar@ivision.co.uk>
Subject: Re: Large-scale scan of SNMP ports
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


We'd certainly be interested in seeing ruleset ideas/snippets ... seem's
silly to re-invent the wheel 100 times or miss out on good ideas ...

Manar

>> Two persons privately expressed interest in a copy of the rc.firewall
>script 
>> that I used (which picked up the scan). It's not anything overly great,
but 
>> it's well-commented and works for me.
>> 
>> If there's any general interest from other users I'll post it to this list 
>> (assuming that's the 'done thing').
>> 
>> -- Chris
>>    Hallam Oaks P/L
>
>I've been building up my own ruleset.  So far I'm not blocking much of
>anything, just categorising traffic and when I'm ready I'll start changing
>some of the 'accept's to 'deny's.  The final line in my ruleset logs
>anything not picked up by the other rules.  I've been surprised at just
>how much scanning goes on. 
>
>I'd be interested to see other people's scripts to the extent that they
>give me a better understanding of how to identify the various traffic I
>see.  Could be that there should be some docs on the freebsd site on the
>subject.  Maybe it's a multi-platform thing and belongs elsewhere.
>Probably it exists elsewhere.  Probably it wouldn't have been any help
>when I got to wondering about that probe for a battle.net server, but it
>might have saved me some time in recognising the pattern of a traceroute.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message