Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a couple of questions

From: Giannakis Eleftherios <legian () otenet gr>
Date: Fri, 12 Dec 2003 10:01:20 +0200
Ok, it seems I haven't put my question properly...
I was wondering about how to secure TCP port 2525 which is open in the server (snort 
agent+snortcenter+acid+mysqld+apache) and not through pc's running snort.So I can rephrase my question about securing 
the "miniserv" which listens in TCP port 2525 and whether it could be compiled with libwrap support so as to be 
"secured" from the hosts.allow file.
Thanks again for the answers and sorry for the incorrect placement of the questions.. :(

On Thu, Dec 11, 2003 at 11:47:24AM -0500, Matt Kettler wrote:

At 07:04 AM 12/11/2003, Giannakis Eleftherios wrote:

i would like to ask a couple of things:
first of all, I would like to know whether snort can work with TCP 
wrappers (compiled with libwrap) because I couldn't find this option in 
snort 2.0.5 compilation and secondly, how can we protect the TCP 2525 port 
on a snort center server?
Generally if anyone can write which ports should one protect to be safe 
enough in the open space-hmm Internet I mean :)



Tcp_wrappers is a tool to control access to ports in programs that accept 
connections... snort never opens sockets to accept connections in the first 
place. Thus, wrappers would be irrelevant to snort. It would be completely 
pointless to support librwap in snort.. it's a sniffer.

In general snort operates by using libpcap to pick up packets. It does not 
use the IP stack, it does not bind sockets, it does not "listen" in the 
same manner that server daemons like webservers do.

Instead libpcap scrapes off a copy of every packet coming in from the 
ethernet driver and passes them to snort. This happens in parallel with the 
copy that is sent to the IP stack. Thus, this happens irrespective of local 
firewall rules, stack behaviors, and anything else that is "higher level" 
than the ethernet driver itself.



What's tcp/2525 for? This doesn't sound like anything snort related to me. 
AFAIK that's the port used by ms-vworlds...



-- 
-----------------------------------
' There's no place like 127.0.0.1 '
-----------------------------------


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: