Re: Snort and IPtables...

[Matt Kettler <mkettler () evi-inc com>]

Agreed with you on that point... If you have to do it.. might I suggest 
using the -u and -c options of snort.

Heck, even if you *aren't* using your snort box as a firewall, it's still a 
good idea to depriv and chroot, after all..

The snort box is in an ideal location for sniffing, thus is also in an 
ideal location for spoofing attacks and has a very good chance of 
succeeding in a connection hijacking attack (no need to guess ISN's when 
you can sniff them).

In general you should work _very_ hard to secure your snort boxes, as they 
are very dangerous in the hands of an attacker.... Having your snort box be 
able to reconfigure your firewall just makes the consequences more drastic, 
but they're already at a critical level.

At 12:45 AM 3/26/2003 +0100, Peter VE wrote:
> which of course brings up a good point :
> your iptables firewall suddenly becomes only as safe as your snort is (or
> tcpdump, or any other app that uses libpcap stuff    if you will)
> so maybe it's not a good idea to combine a firewall & ids/sniffer on the
> same box...
> (just my $0,02)



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users