Snort mailing list archives
Re: options for consideration
From: "Allan Dover" <allan () redwoods ca>
Date: Wed, 23 Apr 2003 09:14:28 -0400
Here are my two cents: I am using RH 7.3 with Netfilter Bridge Patch. I have three nics in my box. ETH0 and ETH1 are a logical bridge, and that is what I have Snort monitoring I have IPTABLES running and filtering all packets in and out of my subnet through the bridge interface. ETH2 is on my clean side of the firewall for monitoring ACID and so on. Most will think it is overkill, but set up a second snort box after your firewall. As intrusions come in and SNORT1 alerts, see if SNORT2 shows the intrusions. If not, you know that your firewall is filtering and Snort is doing its job, which it is very good at. Once again my two cents, And this is scenario is only as good as your rules and filters set up. T.T.F.N ! Allan Dover Systems Administrator <mailto:allan () iiwishiv com> <http://www.iiwishiv.com> ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. ----- Original Message ----- From: "L. Christopher Luther" <CLuther () Xybernaut com> To: "'Slighter, Tim'" <tslighter () itc nrcs usda gov> Cc: "Snort-Users (E-mail)" <snort-users () lists sourceforge net> Sent: Tuesday, April 22, 2003 4:28 PM Subject: RE: [Snort-users] options for consideration
Other than the various "attack response" rules that Snort already uses, I don't really think that an additional feature is feasible/possible. How would Snort know that an attack succeeded? Snort only monitors the actual traffic on a wire, not processes on any particular network node. The best it could do would be to see some type
of
response from the compromised network device. Hence the "attack response" rules. My two cents... - Christopher -----Original Message----- From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov] Sent: Tuesday, April 22, 2003 3:49 PM To: Snort-Users (E-mail) Subject: [Snort-users] options for consideration What are the possibilities of implementing an additional feature into
snort
that would inform the user if an attack was successful or not? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- options for consideration Slighter, Tim (Apr 22)
- <Possible follow-ups>
- RE: options for consideration L. Christopher Luther (Apr 22)
- Re: options for consideration Allan Dover (Apr 23)