RE: snort-inline inbound ruleset?

["Gonzalez, Albert" <albert.gonzalez () eds com>]

It all depends on you though. IMHO, I would either choose Hogwash or
SnortSam. I have tried both and had great results from them. You will just
have to play with them and choose which one you think fits your setup
better. 

Take in mind, both of these use Snort as the 'detection' engine. But they
are geared towards the  'prevention' of attacks. Though snort can be
compiled with flexresp and have the ability to send rst,
icmp_port_unreachable and others. 

Hogwash does the dropping for you, while SnortSam can pass it off to
firewalls(supports various). Snort-inline uses iptables. 

I hope that helps in some faint way :-)

Cheers!
   Alberto Gonzalez

SnortSam - http://www.snortsam.net
Hogwash - http://hogwash.sourceforge.net

-----Original Message-----
From: John Flynn [mailto:johnflynn () fastmail fm]
Sent: Sunday, February 02, 2003 1:09 PM
To: focus-ids () securityfocus com
Subject: snort-inline inbound ruleset?


Hi all,

I'm fairly new to the IDS scene. I want to deploy some sort of open
source IPS. I've read most of the stuff from the honeynet project and
those guys are doing a great job with snort-inline. They have a great
default ruleset to filter outgoing traffic. I was wondering if
snort-inline is a recommended approach for an IPS at this point and if
so, does someone have a good default blocking ruleset for incoming
untrusted traffic they could point me to? I have been having a huge
problem with false positive rates with snort on my network and i'm
struggling to come up with an IPS solution that won't block legitimate
traffic. Would people recommend I use hogwash or something else instead
of snort-inline? 
You folks are all doing a great thing here in this list...
John Flynn