Re: SNORT (Linux) / MySQL (Win32)

[JP Vossen <vossenjp () netaxs com>]

> From: "MVIBE" <mvibe () sublimegrooves com>
> To: "Snort Users List" <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] SNORT (Linux) / MySQL (Win32)
> Date: Tue, 10 Feb 2004 14:39:37 -0600
>
> Bottom line. I am learning Linux Security. I need to learn how to run things
> from Linux as much as possible.

This is a Good Thing, but ideally I would NOT choose my most basic security
device (i.e. gateway/firewall) as a platform on which to learn and experiment.
It is possible to make catastrophic mistakes on any OS and firewall platform,
but some are easier to screw up than others, PIX and IPTables come to mind...
If you have the luxury, learn on something non critical. :-)


> The Firewall box is also acting as my Dhcp/Gateway so its kind of
> pointless to run an IDS from a box that is not in between the rest of my
> net work. My Network is not a High Risk network.

> From a purist, paranoid security geek perspective the above makes me want to
cry.  From a practical, real world perspective, yeah sometimes stuff has to
work that way.  Sigh.


> If someone hacked me they would benefit nothing.

That is NOT true!  First, even if you don't think you have anything valuable
stored on your network, you're probably wrong (even home networks have Quicken
or TurboTax or something).  But that doesn't even matter.  Things that an
attacker can gain from ANY compromised network are (simplistic view):

* Resources:
 - Free storage space for warez or porn (especially, unfortunately, kiddy
porn)
 - Zombies--"remote control" hosts that can do any number of bad things
* A jump off point to attack other people.  Similar to zombies, but with less
remote control.  I.e. telnet or ssh into the cracked box, then start attacking
from there. For an extreme example, how about they start hacking at
whitehouse.gov and the Secret Service shows up at your door one day?


> Needless to say its hard to hack someone when Icmp Pings are dropped via
> Iptables.

Whatever makes you say this?  That's totally false.  First, as Fred McFeeter
pointed out, there are other ways to "ping" devices using TCP or UDP. Second,
very few vulnerabilities are directly related to ICMP.  That's used mostly to
find devices to attack, which I think you were implying, but the corollary is
that you're dealing with a reasonably sophisticated attacker who is methodical
and actually does recon and puts some thought into it.  Unless they are
specifically looking for free storage space or zombies, they probably won't
target you as an individual network.

Worms, and increasing numbers of script kiddie attacks simply do a brute force
attack.  They try whatever exploit they have against EVERYTHING on an IP
range.  If you are vulnerable, then you are cracked.  Simple as that, no ICMP
required.


> So anyway, I appreciate the concern and the answer I have received...so
> far all is working great with the Snort RPM's. Thanks!

Excellent!

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users