Snort mailing list archives
Re: SNORT (Linux) / MySQL (Win32)
From: JP Vossen <vossenjp () netaxs com>
Date: Wed, 11 Feb 2004 13:09:09 -0500 (EST)
From: "MVIBE" <mvibe () sublimegrooves com> To: "Snort Users List" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] SNORT (Linux) / MySQL (Win32) Date: Tue, 10 Feb 2004 14:39:37 -0600 Bottom line. I am learning Linux Security. I need to learn how to run things from Linux as much as possible.
This is a Good Thing, but ideally I would NOT choose my most basic security device (i.e. gateway/firewall) as a platform on which to learn and experiment. It is possible to make catastrophic mistakes on any OS and firewall platform, but some are easier to screw up than others, PIX and IPTables come to mind... If you have the luxury, learn on something non critical. :-)
The Firewall box is also acting as my Dhcp/Gateway so its kind of pointless to run an IDS from a box that is not in between the rest of my net work. My Network is not a High Risk network.
From a purist, paranoid security geek perspective the above makes me want to
cry. From a practical, real world perspective, yeah sometimes stuff has to work that way. Sigh.
If someone hacked me they would benefit nothing.
That is NOT true! First, even if you don't think you have anything valuable stored on your network, you're probably wrong (even home networks have Quicken or TurboTax or something). But that doesn't even matter. Things that an attacker can gain from ANY compromised network are (simplistic view): * Resources: - Free storage space for warez or porn (especially, unfortunately, kiddy porn) - Zombies--"remote control" hosts that can do any number of bad things * A jump off point to attack other people. Similar to zombies, but with less remote control. I.e. telnet or ssh into the cracked box, then start attacking from there. For an extreme example, how about they start hacking at whitehouse.gov and the Secret Service shows up at your door one day?
Needless to say its hard to hack someone when Icmp Pings are dropped via Iptables.
Whatever makes you say this? That's totally false. First, as Fred McFeeter pointed out, there are other ways to "ping" devices using TCP or UDP. Second, very few vulnerabilities are directly related to ICMP. That's used mostly to find devices to attack, which I think you were implying, but the corollary is that you're dealing with a reasonably sophisticated attacker who is methodical and actually does recon and puts some thought into it. Unless they are specifically looking for free storage space or zombies, they probably won't target you as an individual network. Worms, and increasing numbers of script kiddie attacks simply do a brute force attack. They try whatever exploit they have against EVERYTHING on an IP range. If you are vulnerable, then you are cracked. Simple as that, no ICMP required.
So anyway, I appreciate the concern and the answer I have received...so far all is working great with the Snort RPM's. Thanks!
Excellent! Later, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SNORT (Linux) / MySQL (Win32) MVIBE (Feb 09)
- <Possible follow-ups>
- Re: SNORT (Linux) / MySQL (Win32) JP Vossen (Feb 09)
- RE: SNORT (Linux) / MySQL (Win32) Michael Steele (Feb 10)
- Re: SNORT (Linux) / MySQL (Win32) MVIBE (Feb 10)
- RE: SNORT (Linux) / MySQL (Win32) Fred McFeeters (Feb 11)
- Re: SNORT (Linux) / MySQL (Win32) M. Salman Farisi (Feb 10)
- Re: SNORT (Linux) / MySQL (Win32) JP Vossen (Feb 12)
- Re: SNORT (Linux) / MySQL (Win32) AJ Butcher, Information Systems and Computing (Mar 25)
- RE: SNORT (Linux) / MySQL (Win32) robert schwartz (Feb 12)
- RE: SNORT (Linux) / MySQL (Win32) AJ Butcher, Information Systems and Computing (Mar 25)
- Re: SNORT (Linux) / MySQL (Win32) JP Vossen (Feb 11)