Re: [Security Basics] Portsentry and Snort

[Dan DeVoe <ddevoe () zeus netset com>]

Snort and PortSentry serve two entirely different functions. The former is
a Network Intrusion Detection System, the latter is a port scan
detector/responder.

Snort, in my opinion, is primarily useful for sticking on a bridge in
front of the machines you're protecting. Custom patterns combined with
acidlab really does let one sleep better at night. The reason that I
prefer to use snort in a standalone configuration is mainly the curve
between CPU usage and network traffic. YMMV. Snort, though, is definitely
a useful tool.

PortSentry, in addition to apparently not being a supported, developed
product anymore, is of questionable value anyway. A decently strict,
logging iptables setup plus fwlogwatch[0] provides more functionality
(user-configurable response rather than simply throwing up a drop rule).
In addition, fwlogwatch can send out nightly (or another interval)
summary e-mails of logged packets, and generate HTML formatted pages of
the same data.

Should you decide to go with a logging firewall and fwlogwatch, I suggest
you look into ulogd[1] so that you don't clutter your /var/log/messages.

[0]: http://cert.uni-stuttgart.de/projects/fwlogwatch/
[1]: http://gnumonks.org/projects/ulogd

-- 
 Dan DeVoe, System Administrator        | http://www.netset.com
 Ohio NetSet Enterprises, Inc.          | (614) 527-9111
****************************************************************
 -* Opinions herein are the author's and are not necessarily *-
 -* shared by his employer, though they certainly should be. *-
****************************************************************

On Thu, 8 May 2003, sjm wrote:

> Date: Thu, 08 May 2003 10:57:32 -0400
> From: sjm <sjm () porter acadaff appstate edu>
> To: security-basics () securityfocus com
> Subject: [Security Basics] Portsentry and Snort
>
> Should I install both portsentry and snort on my server?  I have read so many
> articles that praise one and knock the other that I don't know what to do.
>
> Thanks for you time,
>
> /*-----------------------------*\
> |                               |
> |    Steve McKinney             |
> |    ARDI - Web Programmer      |
> |    sjm () porter appstate edu    |
> |    (828) 262-6553             |
> |                               |
> \*-----------------------------*/


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------