IDS mailing list archives
RE: snort-inline inbound ruleset?
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Mon, 3 Feb 2003 13:38:17 -0500
It all depends on you though. IMHO, I would either choose Hogwash or SnortSam. I have tried both and had great results from them. You will just have to play with them and choose which one you think fits your setup better. Take in mind, both of these use Snort as the 'detection' engine. But they are geared towards the 'prevention' of attacks. Though snort can be compiled with flexresp and have the ability to send rst, icmp_port_unreachable and others. Hogwash does the dropping for you, while SnortSam can pass it off to firewalls(supports various). Snort-inline uses iptables. I hope that helps in some faint way :-) Cheers! Alberto Gonzalez SnortSam - http://www.snortsam.net Hogwash - http://hogwash.sourceforge.net -----Original Message----- From: John Flynn [mailto:johnflynn () fastmail fm] Sent: Sunday, February 02, 2003 1:09 PM To: focus-ids () securityfocus com Subject: snort-inline inbound ruleset? Hi all, I'm fairly new to the IDS scene. I want to deploy some sort of open source IPS. I've read most of the stuff from the honeynet project and those guys are doing a great job with snort-inline. They have a great default ruleset to filter outgoing traffic. I was wondering if snort-inline is a recommended approach for an IPS at this point and if so, does someone have a good default blocking ruleset for incoming untrusted traffic they could point me to? I have been having a huge problem with false positive rates with snort on my network and i'm struggling to come up with an IPS solution that won't block legitimate traffic. Would people recommend I use hogwash or something else instead of snort-inline? You folks are all doing a great thing here in this list... John Flynn
Current thread:
- RE: snort-inline inbound ruleset? Gonzalez, Albert (Feb 05)
- <Possible follow-ups>
- snort-inline inbound ruleset? John Flynn (Feb 05)
- Re: snort-inline inbound ruleset? Lance Spitzner (Feb 05)