Snort mailing list archives
Re: Snort + ipchains
From: Guillaume <guillaume () anteria fr>
Date: Mon, 03 Dec 2001 19:07:08 +0100 (CET)
En réponse à John Sage <jsage () finchhaven com>:
That sounds a lot like what I'm doing: My method is to run snort in -b binary capture mode against my own rulesets that essentially act upon *every* packet by either alerting (on a specific port, for example..) or by alerting/logging entire port ranges so that everything is captured. (Now, having said this, let me say that my ipchains rules actually block most of those ports that seem to be open, by limiting connections to a specific set of source IP's...) The net effect is that *every* packet is accounted-for, somehow, both incoming and outgoing. Later I analyze the binary logs with the rules that come provided with snort...
Well, I think I may have not been clear enough. In fact, I wrote 'snort' but I could have written tcpdump or etherreal or prelude. And most of all I should have sent my question on another list ! :-) I was thinking about a way to capture tracks of potentially new attacks when I first asked about a way to make ipchains log rejected/blocked/denyied packets in raw format. Did not remember that -o option at that time ! Looking back now, I just realize that snort-users may not be the appropriate list for this kind of question (not on a technical point of view but on a pertinence one !). Thanks you anyway for your help. Guillaume *********************************** Sent with HORDE/IMP (www.horde.org) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort + ipchains, (continued)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- Re: Snort + ipchains Guillaume (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)
- Re: Snort + ipchains Guillaume (Dec 03)