Re: Bad Traffic, Port 0

[Erwin Van de Velde <erwin.vandevelde () ua ac be>]

Hi,

If snort and iptables are running on the same machine, you allways see those 
packets with snort, even if iptables blocks them. Why don't you use a snort 
sensor behind the firewalling machine? You will see then if you blocked the 
traffic or not.
Anyway, I'm writing my master thesis about security logging... I'll try to 
implement the following solution: log all security logs into a database, then 
compare the information of the snort sensors with the firewalling logs and 
mark all snort alerts that do not have a matching firewall log entry. This is 
only part of my master thesis, but I think this can give a tremendous comfort 
to sysadmins, as they will have to check a lot less data. All other data is 
kept for 'curious' sysadmins or for further checks. I think for instance of a 
layered network: one big network with several smaller ones inside: if a type 
of traffic is blocked on all firewalls of the smaller networks, why don't 
already block it on the outer firewall to? Such things will lead to a 
performance gain in the outer network too. But, as I said, this is still on 
its way :-)

Greetings,
Erwin Van de Velde
Student of Antwerp University,
Belgium



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users