|
-
October 30th, 2002, 08:21 PM
#21
Senior Member
I know there's different options to achive the same goal. Thats not what I was asking. Either way, best bet is to block their logon servers I guess. Simplest anyway, and doesn't give me a headache.
Thanks for all the replies though!
-
October 30th, 2002, 10:37 PM
#22
If you use a NIDS you can also create rules to look for the SYN's on the default port. This will catch the initial SYN against the, (blocked), default port. The you can take a womble down to the offending users desk and slap the little ******* for contravening policy.
Works for me...... 
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 30th, 2002, 10:37 PM
#23
If you use a NIDS you can also create rules to look for the SYN's on the default port. This will catch the initial SYN against the, (blocked), default port. The you can take a womble down to the offending users desk and slap the little ******* for contravening policy.
Works for me......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
October 30th, 2002, 10:58 PM
#24
Senior Member
Hey Nebulus,
I didn't know IDS's could block traffic as well. What IDS were you referring to? I might check out that option....then supplement that with Tiger Shark's idea.
Thanks everyone!
-
October 30th, 2002, 10:58 PM
#25
Senior Member
Hey Nebulus,
I didn't know IDS's could block traffic as well. What IDS were you referring to? I might check out that option....then supplement that with Tiger Shark's idea.
Thanks everyone!
-
October 30th, 2002, 11:11 PM
#26
I am wanting to say snort can do this (not 100% sure, haven't really tried to do this very often). When I stated this, I had ISS RealSecure in mind, but really I think that most modern NIDS have this capability. It isn't anything special really, it just sends a spoofed packet to the source and destination (pretending to be one or the other) and sends a reset. Both sides will think there was a communication or some other kind of error and drop the connection. If it is something you are not seeing very often it would be safe to do this, but if you were not careful and you set it up to do that on an event that is frequently triggered, you will wind up amplifing the amount of traffic (for every packet it triggers off of, it generates 2 packets to kill the connection) which could do more harm than just letting the event go without resetting the connection.
Hope this helps,
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 30th, 2002, 11:11 PM
#27
I am wanting to say snort can do this (not 100% sure, haven't really tried to do this very often). When I stated this, I had ISS RealSecure in mind, but really I think that most modern NIDS have this capability. It isn't anything special really, it just sends a spoofed packet to the source and destination (pretending to be one or the other) and sends a reset. Both sides will think there was a communication or some other kind of error and drop the connection. If it is something you are not seeing very often it would be safe to do this, but if you were not careful and you set it up to do that on an event that is frequently triggered, you will wind up amplifing the amount of traffic (for every packet it triggers off of, it generates 2 packets to kill the connection) which could do more harm than just letting the event go without resetting the connection.
Hope this helps,
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 31st, 2002, 06:29 AM
#28
Just an FYI for those that didn't know: AIM does, in fact, allow you to search and connect on other ports. The other day, I tried connecting with the default port, and it would not allow me to contact the login server. Next, I went into the configuration - where you can change to go through a proxy and so on... Here, I found an option to scan for a port to connect through, and low and behold, it connected over port 21! UGH!
Opinions are like  holes - everybody\'s got\'em.
Smile
-
October 31st, 2002, 06:29 AM
#29
Just an FYI for those that didn't know: AIM does, in fact, allow you to search and connect on other ports. The other day, I tried connecting with the default port, and it would not allow me to contact the login server. Next, I went into the configuration - where you can change to go through a proxy and so on... Here, I found an option to scan for a port to connect through, and low and behold, it connected over port 21! UGH!
Opinions are like holes - everybody\'s got\'em.
Smile
-
October 31st, 2002, 04:05 PM
#30
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
), since the client will assume it is dropped at the firewall and allow the alternative connection to take place.