Security Basics mailing list archives
Re: Snort as Firewall (WinXP)
From: Tony Barry <tony () no-bull co nz>
Date: Tue, 31 Jan 2006 10:30:23 +1300
Good decision re Linux and its not so difficult now. I would suggest Fedora (I'm using Core 3) as it is an SELinux enabled distro and fairly bleeding edge. Really informative install guides are at http://fedoranews.org/mediawiki/index.php/Stanton_Finley and http://www.howtoforge.com/perfect_setup_fedora_core_3 It has software RAID. If you would like to use this it's very easy to set up during installation. There is a vast amount of help available on line. http://www.linuxhomenetworking.com/#Linux%20Main is an excellent starting point. Good luck On Sun, 2006-01-29 at 16:45 +0530, Neil wrote:
Yeah, well, in all my readings and largely from the mail on this list, I've come to the conclusion that Snort definitly won't give me iptable-functionality on a windows box. My solution is one I should've done a while ago: start using linux. Of course, thats much harder than it sounds, but we'll see how it turns out. Thanks to the list for all the help. Cheers, Neil On 1/26/2006 3:02 AM, coder wrote:I should probably add that the only two ways I know of making snort into an IPS; is by either using snort-inline, which would require IPTables (and this is a windows question) or using "flex response" (not sure if this comes with the windows version of snort), the downfall of flex response is that is just sends an RST packet to break the connection (this however does not stop the attacker from re-connecting) also, you would have to write your own rules such as: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;resp:rst_snd;) (you can see the rst_snd at the end) but, as "shrek-m" and I (in my earlier email) said, snort cannot really be used as a firewall. Regards, Davie ----- Original Message ----- From: <shrek-m () gmx de> To: <security-basics () securityfocus com> Sent: Tuesday, January 24, 2006 10:17 PM Subject: Re: Snort as Firewall (WinXP)Neil wrote:From what I've read, a couple people have tried, but most people were ofthe opinion to use Snort as an IDS, and have a separate firewall.bingo.If anyone has done it, do you recommend it? Why/why not? For those who are against using it as a firewall, again, why?"snort" iirc is a ids/ips and no firewall http://www.snort.org/ eg. "iptables" iirc is a firewall and no ids/ips http://iptables.org/ -- shrek-m--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- Tony Barry No Bull Services PO Box 51528 Pakuranga Auckland 021 413642 09 5768552 http://www.NO-BULL.CO.NZ ************************************************************************* This e-mail and any files transmitted with it are confidential and intended solely for the use of the addressee/s. If you have received this e-mail in error please notify the sender. ************************************************************************* --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Snort as Firewall (WinXP) Neil (Jan 23)
- Re: Snort as Firewall (WinXP) coder (Jan 24)
- Re: Snort as Firewall (WinXP) shrek-m () gmx de (Jan 25)
- Re: Snort as Firewall (WinXP) coder (Jan 26)
- Re: Snort as Firewall (WinXP) Neil (Jan 30)
- Re: Snort as Firewall (WinXP) Tony Barry (Jan 30)
- Re: Snort as Firewall (WinXP) coder (Jan 26)
- <Possible follow-ups>
- RE: Snort as Firewall (WinXP) Shain Singh (Jan 24)
- Re: Snort as Firewall (WinXP) Kenton Smith (Jan 24)