Snort mailing list archives
Re: firewall rules modification based on snort logs
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 10 Jun 2003 22:38:50 -0500
On Tue, 2003-06-10 at 12:55, Matt Kettler wrote:
However if you need to split snortsam across a insecure network, make sure to use a SSH tunnel or similar mechanism. It acts by injecting configuration commands to your existing firewall, so it works with IPTables, instead of alongside it. Older versions of Snortsam tried to use encryption without a MAC (only a sequence number) to provide authentication and integrity..
That still hasn't been fixed yet. However, for usage within your own network, this is acceptable imo. If you route through the Internet, use an SSH tunnel. The fix for checking a complete packet (as we had discussed earlier) is still on my to-do list (which get's larger every day). Feel free to assist with a revised implementation. The change would have to occur in twofish.c.
Needless to say that doesn't work very well, but AFAIK the feature has been removed. It is however still mentioned in the FAQ in all it's incorrect glory.
Yeah, rub it in.... if you happen to get really annoyed with this, feel free to fix the FAQ and send me a copy. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- firewall rules modification based on snort logs Gaurav Kumar (Jun 10)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 10)
- Re: firewall rules modification based on snort logs Frank Knobbe (Jun 10)
- many 'NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt' Ciprian Badescu (Jun 11)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 11)
- Re: firewall rules modification based on snort logs Frank Knobbe (Jun 10)
- <Possible follow-ups>
- RE: firewall rules modification based on snort logs John Hally (Jun 10)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 10)