Snort mailing list archives
Re: Snort and IPtables...
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 25 Mar 2003 20:57:51 -0500
Agreed with you on that point... If you have to do it.. might I suggest using the -u and -c options of snort.
Heck, even if you *aren't* using your snort box as a firewall, it's still a good idea to depriv and chroot, after all..
The snort box is in an ideal location for sniffing, thus is also in an ideal location for spoofing attacks and has a very good chance of succeeding in a connection hijacking attack (no need to guess ISN's when you can sniff them).
In general you should work _very_ hard to secure your snort boxes, as they are very dangerous in the hands of an attacker.... Having your snort box be able to reconfigure your firewall just makes the consequences more drastic, but they're already at a critical level.
At 12:45 AM 3/26/2003 +0100, Peter VE wrote:
which of course brings up a good point : your iptables firewall suddenly becomes only as safe as your snort is (or tcpdump, or any other app that uses libpcap stuff if you will) so maybe it's not a good idea to combine a firewall & ids/sniffer on the same box... (just my $0,02)
------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and IPtables... Tobias Rice (Mar 25)
- Re: Snort and IPtables... Phil Wood (Mar 25)
- Re: Snort and IPtables... Erick Mechler (Mar 25)
- RE: Snort and IPtables... Tobias Rice (Mar 25)
- Re: Snort and IPtables... Peter VE (Mar 25)
- Re: Snort and IPtables... Matt Kettler (Mar 25)
- RE: Snort and IPtables... Tobias Rice (Mar 25)