Snort mailing list archives
Whatever OS We Use
From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Mon, 18 Mar 2002 07:48:02 -0800
Whatever OS we use, Snort is the only pig I know that can fly through the bandwidth, glide through the alerts on ACID, and stream binary captured data at 100 miles an hour between two systems. We have been using Snort since version 1.6 and the only limitations we have encountered so far with Snort have been the limitations of our own imagination. So we use Snort for: 1. Real time alerting (in many probes and attacks, Snort provides us an early enough warning to take action provided we are paying attention) 2. Near real time or after action analysis. Give me the data content on that suspicious alert e-mail message that I just received. 3. Snort in the DMZ in front of two other Snort systems behind a firewall that can be used as a firewall and internal Snort system rules verifier. Shows us and allows us to test what our outer firewall is or is not effectively blocking. Configure Snort alerts according to your inner and outer firewall rules for testing and if you try to break into your own systems. 4. Snort on a Laptop. A great tool for troubleshooting local and remote customer network connectivity and firewall problems. Big bonus here Marty not to take anything away from TCPDUMP or Ethereal which we also use. We are able to quickly troubleshoot many customer connectivity problems with Snort in a matter of minutes. They call you up, you get their address, and in seconds after: snort -d -l log host xxx.xxx.xxx.xxx you are capturing their traffic and detecting what is or is not happening. Saves allot of troubleshooting time and money and makes many happy customers. 5. Snort logging all traffic for archive and analysis, two Snort sniffers streaming the data to 2 NICs on a terabyte server with direct crossover cables. 6. Snort discovery system. Learn that traffic. What is going on with these high outbound or inbound ports. So we do a one trick pony system (1 or 2 rules). Maybe we should call it a one trick piggy system. Like so: alert tcp $EXTERNAL_NET any -> $HOME_NET 4500: (msg:"High Port Inbound Connect Attempt"; flags:S; tag:session,6,packets;) This and more is all possible thanks to all of you and I mean it. Brent Erickson
Current thread:
- Whatever OS We Use Erickson Brent W KPWA (Mar 18)
- Re: Whatever OS We Use Frank Knobbe (Mar 19)
- <Possible follow-ups>
- Re: Whatever OS We Use Mike Shaw (Mar 18)
- Re: Whatever OS We Use John Sage (Mar 18)