RE: New user question(s)

["Harper, Patrick" <patrick.harper () phns com>]

When you say snortd are you talking about the init script?
 
-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Wednesday, September 22, 2004 10:53 AM
To: Chris; 'Snort Users'
Subject: Re: [Snort-users] New user question(s)

At 09:29 PM 9/21/2004, Chris wrote:
> 1.  What is the difference in running snortd vice snort w/cl
parameters?

This I don't know.. I've never heard of snortd before.

> 2.  Reading the FAQ it states to start snort with snort -A full -c 
> snort.conf then in the next line it states:
>
> Note that the default output mode (-A full) of snort should not be used

> except in very controlled environments. It is the slowest way to run 
> snort and presents several hard to recover from problems with inode 
> creation on filesystems.
>
> So, if this causes problems, how then should snort be started?


snort -A full -c snort.conf is a good starting point, but the manual is
correct that you probably don't want to use this for long-term
production.

Eventually you'll want to shift to somethign faster. I use the
equivalent of snort -A fast -b, but much of mine is specfied in
snort.conf.

In production, most people use SQL logging, to feed something like ACID
or BASE, or barnyard..

Some, like me, still use text logs, but log packet captures as binary
pcap to maintain speed.





> 3.  I run no servers on my box.  I've set it up in the belief that if
would
> compliment my firewall.  If my firewall is working sufficiently in my
> opinion, then do I even need to run an IDS?

Does your firewall process the application layer, in detail, for attack 
patterns?

Will your firewall recognize packets containing backdoor "phone home" 
patterns? On outbound traffic?

Firewalls are *great* tools. However, they don't serve the same
functions 
as an IDS. An IDS helps you see anomalies in your traffic. It examines 
packets in-depth to find suspect patterns in the actual packet payload,
not 
just the headers.

The only firewall product I know of that comes close to an IDS is a 
netscreen with the deep-inspection feature. But even this is quite
limited 
by comparison to a true IDS.







-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users