Snort mailing list archives
RE: Snort and ipchains
From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Tue, 7 Jan 2003 15:17:15 -0600
I, for one, am on the 'every little bit helps' list. Any device may fail/be exploited/be misconfigured. Its all about layers. If I'm going to have snort alert, why not have it interfere also? Obviously I plan on thinking worst case and configure all devices accordingly (so they might last ten seconds if there were no firewall at all), but for the price why not try and leverage snort also? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Kettler Sent: Tuesday, January 07, 2003 12:09 PM To: kb () usedcomputersales net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and ipchains I noticed this one went unanswered on the list.. so.. Snort is not intended to be a firewall, it is intended to be an intrusion sensor. There are several tools, such as hogwash, snort-inline, and snortsam that are intended to allow snort alerts to dynamically re-configure your IPchains/IPTables firewall. Personally, I'm a strong proponent of the "have a properly laid out firewall and properly patched servers in the first place. Don't rely on your IDS to try to secure your network, use it for forensics and to recognize what areas of your network are being probed the most frequently and thus need the closest attention" type approach. I also like to keep my snort box heavily isolated from other systems so I can trust the data on it, even if the firewall or servers in the DMZ are breached. But others like the idea of extending snort to auto-configure their firewalls. The major drawbacks I see to integrating snort into your firewall are: -it may create a strong false sense of security, and encourage not paying careful attention to firewall configuration. -your firewall is now only as secure as your snort box, and many are not capable of securing a general purpose unix system well enough to make it secure enough to use as a firewall component. Judge your abilities carefully here and be paranoid about locking it down. At 12:23 PM 1/3/2003 -0800, "Kevin Brown" wrote:
so for most security, do i run ipchains/tables and snort? I want bad packets to be stopped before they comein the front door, does snort do that? kevin ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and ipchains Kevin Brown (Jan 03)
- Re: Snort and ipchains Matt Kettler (Jan 07)
- <Possible follow-ups>
- RE: Snort and ipchains Bob McDowell (Jan 07)
- RE: Snort and ipchains Matt Kettler (Jan 08)
- RE: Snort and ipchains Bob McDowell (Jan 08)