Re: Snort + ipchains

[Guillaume <guillaume () anteria fr>]

En réponse à John Sage <jsage () finchhaven com>:

> That sounds a lot like what I'm doing:
>
> My method is to run snort in -b binary capture mode against my own 
> rulesets that essentially act upon *every* packet by either alerting (on
> a specific port, for example..) or by alerting/logging entire port 
> ranges so that everything is captured.
>
> (Now, having said this, let me say that my ipchains rules actually block
> most of those ports that seem to be open, by limiting connections to a
> specific set of source IP's...)
>
> The net effect is that *every* packet is accounted-for, somehow, both 
> incoming and outgoing.
>
> Later I analyze the binary logs with the rules that come provided with
> snort...

Well, I think I may have not been clear enough. In fact, I wrote 'snort' but I 
could have written tcpdump or etherreal or prelude. And most of all I should 
have sent my question on another list ! :-)

I was thinking about a way to capture tracks of potentially new attacks when I 
first asked about a way to make ipchains log rejected/blocked/denyied packets 
in raw format. Did not remember that -o option at that time !

Looking back now, I just realize that snort-users may not be the appropriate 
list for this kind of question (not on a technical point of view but on a 
pertinence one !).

Thanks you anyway for your help.

Guillaume

***********************************
Sent with HORDE/IMP (www.horde.org)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users