Snort mailing list archives
Re: VDQ: Snort basic
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 05 Aug 2002 13:46:15 -0400
Snort isn't really a "defense" per se, it's more of a intrusion attempt detection/logging tool that you can use to give you a "heads up" to various pokes and prods at your network. In the event of an actual network intrusion snort can provide valuable forensics that alert you to the problem, and give you a general idea of what machine was attacked (provided the snort box itself is not comprimized).
For "defense", as in network traffic blocking, linux comes with an in-kernel firewall. The tool you use to configure it is called iptables, or ipchains in the case of older 2.2.x series kernels. Using this tool you can create general rules to filter inbound and outbound traffic, such as blocking all inbound icmp echo requests to broadcasts, etc.
Of course, an even more important aspect of defense is not to be running services that will need firewalling in the first place, so unless you need them, make sure you aren't running sendmail as a daemon, shut down bind, portmapper, nfsd, ypbind, remote access linuxconf, lpd, and all that other miscellaneous publicly accessible service garbage that redhat tends to turn on by default unless you specify a high security install. Then use iptables to have the linux box defend the machines running behind it.
You might want to read the LDP's quickstart howto on securing redhat boxes: http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html Section 5.2 covers iptables. At 12:05 PM 8/5/2002 -0400, Beartooth wrote:
All I know about it is what I've read on novalug in the last couple of days. I ran ZoneAlarm under W98 on my other hard drive long enough before getting linux to know that merely being an inconspicuous user on a home machine doesn't protect from sundry intrusion attempts that I don't begin to understand; so now I ought to have some sort of defense, but don't know what I can hope to handle, or even find straight up about. Is Snort such a thing, or am I out of my league as usual? -- Beartooth the Stubborn <karhunhammas (at) lserv.com>, double retiree, linux hatchling w/ RH 7.2; ssh'd (DSL) to pine 4.43 on ISP's SunOS 5.8; Opera 6.02, Pan 0.11.2, Galeon 1.2.5, & Mozilla 1.0standard disclaimer : Keep in mind that I have no idea what I am talking about.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VDQ: Snort basic Beartooth (Aug 05)
- <Possible follow-ups>
- Re: VDQ: Snort basic Matt Kettler (Aug 05)
- RE: VDQ: Snort basic Chris Eidem (Aug 05)
- RE: VDQ: Snort basic Beartooth (Aug 05)
- Re: VDQ: Snort basic Brad Mills (Aug 05)