Honeypots mailing list archives
Re: honeypot+ids?
From: Kostas K <acezerocool () yahoo com>
Date: 13 Aug 2003 13:58:05 -0000
In-Reply-To: <Pine.BSO.4.51.0308111504250.26862 () naughty monkey org> Hello again, How about doing that in windows 2000 pro. I don't think i can use my router as a computer at least i do not know how. Do you know how to monitor my dialup modem with snort i use the snort -W command and nothing occurs. Soon i will have ISDN where the modem connects at the serial. Any suggestions please! Thanx in advance.
Received: (qmail 13155 invoked from network); 11 Aug 2003 19:06:40 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 11 Aug 2003 19:06:40 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with SMTP id D3D408F9DF for <archive-honeypots () securityfocus com>; Mon, 11 Aug 2003 13:09:11 -0600 (MDT) Received: (qmail 15918 invoked by alias); 11 Aug 2003 13:06:52 -0000 Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: <honeypots.list-id.securityfocus.com> List-Post: <mailto:honeypots () securityfocus com> List-Help: <mailto:honeypots-help () securityfocus com> List-Unsubscribe: <mailto:honeypots-unsubscribe () securityfocus com> List-Subscribe: <mailto:honeypots-subscribe () securityfocus com> Delivered-To: mailing list honeypots () securityfocus com Delivered-To: moderator for honeypots () securityfocus com Received: (qmail 14421 invoked from network); 11 Aug 2003 12:59:10 -0000 Date: Mon, 11 Aug 2003 15:05:02 -0400 (EDT) From: Jose Nazario <jose () monkey org> To: Patrick Dolan <dolan () cc admin unt edu> Cc: honeypots () securityfocus com Subject: Re: honeypot+ids? In-Reply-To: <200308111400.13796.dolan () cc admin unt edu> Message-ID: <Pine.BSO.4.51.0308111504250.26862 () naughty monkey org> References: <20030811183040.25770.qmail () www securityfocus com> <200308111400.13796.dolan () cc admin unt edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Mon, 11 Aug 2003, Patrick Dolan wrote:I find it easiest to set up the router/switch as a computer rather than just a piece of hardware. OpenBSD, for instance, has good capabilities for packet filtering. With this method, you can run the IDS on the router and have it listen to the internal interface. I've used OpenBSD in combination with Snort for this scenario and it works well.log all packets that come through and have snort listen on pflog0 or use the pf command "dup-to" to duplicate packets to the sensor. easy as pie. ___________________________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/
Current thread:
- honeypot+ids? Kostas K (Aug 11)
- Re: honeypot+ids? Patrick Dolan (Aug 11)
- Re: honeypot+ids? Jose Nazario (Aug 11)
- <Possible follow-ups>
- Re: honeypot+ids? Kostas K (Aug 13)
- Re: honeypot+ids? Patrick Dolan (Aug 11)