SnapGear 1.7.8 User Manual

The list of monitored network ports can be freely edited. Several shortcut buttons also
provide pre-selected lists of services to monitor. The basic button installs a bare bones
selection of ports to monitor while still providing sufficient coverage to detect many
intruder scans. The standard option extends this coverage by introducing additional
monitored ports for early detection of intruder scans. The strict button installs a
comprehensive selection of ports to monitor and should be sufficient to detect most
scans.

The trigger count specifies the number of times a host is permitted to attempt to connect
to a monitored service before being blocked. This option only takes effect when one of
the previous blocking options is enabled. The trigger count value should be between 0
and 2 (o represents an immediate blocking of probing hosts). Larger settings mean more
attempts are permitted before blocking and although allowing the attacker more latitude,
these settings will reduce the number of false positives.

The ignore list contains a list of host IP addresses which the IDB will ignore for detection
and blocking purposes. This list may be freely edited so trusted servers and hosts are not
blocked. The two addresses 0.0.0.0 and 127.0.0.1 cannot be removed from the ignore list
because they represent the IDB host.

Warning

A word of caution regarding automatically blocking UDP requests. Because an attacker
can easily forge the source address of these requests, a host that automatically blocks
UDP probes can be tricked into restricting access from legitimate services. Proper firewall
rules and ignored hosts lists will significantly reduce this risk.

Firewall

65