Snort mailing list archives
RE: Snort and portsentry on same host ?
From: "Franki" <frankieh () vianet net au>
Date: Thu, 20 Dec 2001 00:20:57 +0800
Isn't hogwash designed with something like that in mind? rather then blocking the host of the bad packets, it just blocks the bad packets? I love the idea of that, I'd love to see it go further and get more support.. Its not a perfect solution, I imagine it needs alot of horsepower to do a big pipe, and the rules would have to be vague to stop false alarms from breaking stuff. but the idea is great, it is of benefit for those of us who have to much to do to be monitoring IDS output all the time, as it stands now, I have to read about 5mb of txt reports from various servers each day. As far as I can concerned, every little bit helps right? rgds Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Martijn Heemels Sent: Thursday, 13 December 2001 8:01 PM To: Bo Jacobsen; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort and portsentry on same host ? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi there, does anyone know if Snort and Portsentry (in advanced mode) are able to run concurrently on the same host (and nic).Yes, i'm running it that way. They appear to function fine together... each doing it's own thing... If you're letting Portsentry adjust your ipchains/iptables rules you will of course no longer see the traffic from the host you're blocking, since it'll be impossible for that host to set up a TCP connection to your host.So what iptables blocks (drop), Snort will not se. I just thought that Snort was first in line.
There have been many discussions on this subject on the list. You might want to check the archives.
By the way, do you know if it's possible to have Snort execute an iptables command (just like Portsentry can do), when a condition it met.
I've never tried it myself, but I believe you can use FlexResp to do this. You can at least send a reset packet to stop a connection. Greets, Martijn -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPBiYcRLMC0rbivl4EQLgAwCgulNakuAiejAUMz6g/0p0UxirHdwAoNVq g2nbcVOqJKJZbMOWi36tUVqg =z1DI -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and portsentry on same host ? Bo Jacobsen, SystemHouse (Dec 12)
- RE: Snort and portsentry on same host ? Martijn Heemels (Dec 12)
- Sv: Snort and portsentry on same host ? Bo Jacobsen (Dec 13)
- RE: Snort and portsentry on same host ? Martijn Heemels (Dec 13)
- RE: Snort and portsentry on same host ? Franki (Dec 19)
- Sv: Snort and portsentry on same host ? Bo Jacobsen (Dec 13)
- RE: Snort and portsentry on same host ? Martijn Heemels (Dec 12)