Snort mailing list archives

Re: VDQ: Snort basic

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 05 Aug 2002 13:46:15 -0400

Snort isn't really a "defense" per se, it's more of a intrusion attemptdetection/logging tool that you can use to give you a "heads up" to variouspokes and prods at your network. In the event of an actual networkintrusion snort can provide valuable forensics that alert you to theproblem, and give you a general idea of what machine was attacked (providedthe snort box itself is not comprimized).

For "defense", as in network traffic blocking, linux comes with anin-kernel firewall. The tool you use to configure it is called iptables, oripchains in the case of older 2.2.x series kernels. Using this tool you cancreate general rules to filter inbound and outbound traffic, such asblocking all inbound icmp echo requests to broadcasts, etc.

Of course, an even more important aspect of defense is not to be runningservices that will need firewalling in the first place, so unless you needthem, make sure you aren't running sendmail as a daemon, shut down bind,portmapper, nfsd, ypbind, remote access linuxconf, lpd, and all that othermiscellaneous publicly accessible service garbage that redhat tends to turnon by default unless you specify a high security install. Then use iptablesto have the linux box defend the machines running behind it.



You might want to read the LDP's quickstart howto on securing redhat boxes:
http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html

Section 5.2 covers iptables.


At 12:05 PM 8/5/2002 -0400, Beartooth wrote:

        All I know about it is what I've read on novalug in the
last couple of days. I ran ZoneAlarm under W98 on my other hard
drive long enough before getting linux to know that merely being an
inconspicuous user on a home machine doesn't protect from sundry
intrusion attempts that I don't begin to understand; so now I ought
to have some sort of defense, but don't know what I can hope to
handle, or even find straight up about. Is Snort such a thing, or
am I out of my league as usual?
--
Beartooth the Stubborn <karhunhammas (at) lserv.com>, double retiree,
linux hatchling w/ RH 7.2; ssh'd (DSL) to pine 4.43 on ISP's SunOS 5.8;
Opera 6.02, Pan 0.11.2, Galeon 1.2.5, & Mozilla 1.0

standard disclaimer : Keep in mind that I have no idea what I am talkingabout.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VDQ: Snort basic Beartooth (Aug 05)
- <Possible follow-ups>
- Re: VDQ: Snort basic Matt Kettler (Aug 05)
- RE: VDQ: Snort basic Chris Eidem (Aug 05)
  - RE: VDQ: Snort basic Beartooth (Aug 05)
  - Re: VDQ: Snort basic Brad Mills (Aug 05)