Re: options for consideration

["Allan Dover" <allan () redwoods ca>]

Here are my two cents:

I am using RH 7.3 with Netfilter Bridge Patch.  I have three nics in my box.
ETH0 and ETH1 are a logical bridge, and that is what I have Snort monitoring
I have IPTABLES running and filtering all packets in and out of my subnet
through the bridge interface.  ETH2 is on my clean side of the firewall for
monitoring ACID and so on.  Most will think it is overkill, but set up a
second snort box after your firewall.  As intrusions come in and SNORT1
alerts, see if SNORT2 shows the intrusions.  If not, you know that your
firewall is filtering and Snort is doing its job, which it is very good at.

Once again my two cents,

And this is scenario is only as good as your rules and filters set up.

T.T.F.N !

Allan Dover
Systems Administrator
<mailto:allan () iiwishiv com>
<http://www.iiwishiv.com>

###################################################
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any  printout thereof, immediately. Your
co-operation is appreciated.


----- Original Message -----
From: "L. Christopher Luther" <CLuther () Xybernaut com>
To: "'Slighter, Tim'" <tslighter () itc nrcs usda gov>
Cc: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
Sent: Tuesday, April 22, 2003 4:28 PM
Subject: RE: [Snort-users] options for consideration


> Other than the various "attack response" rules that Snort already uses, I
> don't really think that an additional feature is feasible/possible.  How
> would Snort know that an attack succeeded?
>
> Snort only monitors the actual traffic on a wire, not processes on any
> particular network node.  The best it could do would be to see some type
of
> response from the compromised network device.  Hence the "attack response"
> rules.
>
> My two cents...
>
> - Christopher
>
>
> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
> Sent: Tuesday, April 22, 2003 3:49 PM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] options for consideration
>
>
> What are the possibilities of implementing an additional feature into
snort
> that would inform the user if an attack was successful or not?
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users