PaulDotCom mailing list archives
Make snort bite back - prevention issues
From: wishinet at googlemail.com (wishi)
Date: Mon, 19 Jan 2009 17:25:15 +0100
Hi! I'm currently setting up a secure Linux (Debian) based server, and I want to apply some prevention in case of intrusion detection; and effective logging (not a mass of data). There's a great small list at Emerging Threat's docu site about snort-sam: http://doc.emergingthreats.net/bin/view/Main/SnortSam * I already applied some of the ready rule sets from there. They seem quite good. * One issue related to snort-sam is: In the documentation I found several parts, like White-list support of IP addresses that will never be blocked. Anyhow: I'm having a dynamic IP address, therefore I can't white-list it, because it is not static. This can cause problems I think. If somebody spoofs IPs, I can't be sure to be able to access the server any more (without KVM-IP...). * Furthermore only outgoing traffic matters. I don't really care for ssh-brute force attacks because it's highly unlikely to be successful. I just wonder what's a real best-practice IDS config; where to create logs, and how to organize them ;). In the end I want a pcap for an attack that took place, and a small logfile. That's all. But it seems I get a huge mass of logs I don't even need. wishi
Current thread:
- Make snort bite back - prevention issues wishi (Jan 19)
- Nessus default Save As location Nathan Sweaney (Jan 19)
- Nessus default Save As location John (Jan 19)
- Nessus default Save As location Nathan Sweaney (Jan 19)