Snort mailing list archives
Re: IDS and Firewall
From: James Riden <j.riden () massey ac nz>
Date: Thu, 29 Apr 2004 11:19:14 +1200
"Shaffer, Paul D" <paul.d.shaffer () lmco com> writes:
Everyone responding to this thread seems to be preaching to the choir with an amazing grasp of the obvious. But nobody bothered to ask the Kernel anything constituting a requirements definition - What is he trying to do? What is his environment? What equipment does he have available?
OP: =>Is it recommended to run on it snort (on the same box) =>or should I run it on another computer No, it's not recommmend, and yes the OP should run it on another computer. Obviously, if s/he can't it's not the end of the world, but s/he asked the question as if that was a possibility.
Have you considered the possibility that dyed-in-the-wool dogma purveyed as gospel, may not be what he is looking for? Maybe he wants some advice or examples of how a multi-purpose security device might be cobbled together and properly locked down with Linux?
If you don't like the answer you shouldn't have asked the question :) Seriously, I wouldn't run snort on a home firewall even. If you've got a box you're protecting with the firewall, it's far better to put snort on that. Have the fw as your prevention, and snort as your detection. Apart from security issues, a fw is a single point of failure for most of us, so is best left to do just firewalling. Running snort will typically need a lot more oomph than just running iptables, so it's possible his firewall box isn't up to spec in that regard. Plus, I don't care about the vast number of attacks and scans which will be visible on the firewall but will be stopped by it. I only care about packets which get inside the network. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS and Firewall Kernel The Canine (Apr 28)
- Re: IDS and Firewall Ravi (Apr 28)
- Re: IDS and Firewall Marcin Laskowski (Apr 28)
- Re: IDS and Firewall Alejandro Flores (Apr 28)
- Re: IDS and Firewall Kernel The Canine (Apr 28)
- Re: IDS and Firewall Matt Kettler (Apr 28)
- Re: IDS and Firewall Alejandro Flores (Apr 28)
- RE: IDS and Firewall Jim Hendrick (Apr 28)
- Re: IDS and Firewall Matt Kettler (Apr 28)
- <Possible follow-ups>
- RE: IDS and Firewall Shaffer, Paul D (Apr 28)
- Re: IDS and Firewall James Riden (Apr 28)
- RE: IDS and Firewall Shaffer, Paul D (Apr 29)
- Message not available
- RE: IDS and Firewall Matt Kettler (Apr 29)
- Snort Rule Downloading - No Updates Since 4/15? Snortty (Apr 30)
- Message not available