Snort mailing list archives
Re: Bad Traffic, Port 0
From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Thu, 25 Dec 2003 11:37:09 +0100
Hi, If snort and iptables are running on the same machine, you allways see those packets with snort, even if iptables blocks them. Why don't you use a snort sensor behind the firewalling machine? You will see then if you blocked the traffic or not. Anyway, I'm writing my master thesis about security logging... I'll try to implement the following solution: log all security logs into a database, then compare the information of the snort sensors with the firewalling logs and mark all snort alerts that do not have a matching firewall log entry. This is only part of my master thesis, but I think this can give a tremendous comfort to sysadmins, as they will have to check a lot less data. All other data is kept for 'curious' sysadmins or for further checks. I think for instance of a layered network: one big network with several smaller ones inside: if a type of traffic is blocked on all firewalls of the smaller networks, why don't already block it on the outer firewall to? Such things will lead to a performance gain in the outer network too. But, as I said, this is still on its way :-) Greetings, Erwin Van de Velde Student of Antwerp University, Belgium ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with snort 2.1.0 and redhat 9 Lang Hoang (Dec 23)
- Re: Problem with snort 2.1.0 and redhat 9 Erek Adams (Dec 24)
- <Possible follow-ups>
- RE: Problem with snort 2.1.0 and redhat 9 Lang Hoang (Dec 24)
- RE: Problem with snort 2.1.0 and redhat 9 Erek Adams (Dec 24)
- Bad Traffic, Port 0 Martin Bündgens (Dec 24)
- Re: Bad Traffic, Port 0 Matt Kettler (Dec 24)
- Re: Bad Traffic, Port 0 Stewart Larsen (Dec 24)
- Re: Bad Traffic, Port 0 Martin Bündgens (Dec 24)
- Re: Bad Traffic, Port Josh Berry (Dec 24)
- Re: Bad Traffic, Port Martin Bündgens (Dec 24)
- Re: Bad Traffic, Port 0 Erwin Van de Velde (Dec 25)