Snort question
jay
jay at musubi.org
Wed May 16 03:01:09 PDT 2001
On Mon, 14 May 2001, Ben Beeson wrote:
> 1. How difficult is it to get snort to coexist with other
> logging apps? By this I mean, I already run a firewall and a port monitoring
> program. The port monitoring program may not be as good as snort at
> identifying the kind of attack, but it does catch the common ones and then add
> a firewall rule to block the offending source IP address when I get scanned.
> Would this cause a problem with snort as far as you can tell?
i don't have anything else running with snort (except ipmon that comes
with ipfilter), but i have friends that run it concurrently with apps
like portsentry so i don't see you having any problems doing what you
described.
> 2. Can you use snort to drive your firewall automatically?
http://www.snort.org/FAQ.html#q57
> 3. Does snort automatically produce log analysis, or do you
> need another tool to do this with? I'm not very good at log analysis other
> than very obvious things such as: "ATTACK ALERT" or "DENY" etc. Even after
> using linux on the net for upwards of 3 years now, I tend to trust my firewall
> a little more than I should because I do not know all the intricate details of
> TCP/IP packets and how they are doctored during attacks. I'm still learning,
> but I feel blissfully ignorant sometimes...
the cool thing about snort is that with each attack heuristic detected, an
ID is given that you can look up in the arachNIDS database which is being
constantly updated with new signatures.
http://whitehats.com/ids/index.html
if you have the time, no girlfriend, and maybe your cable is broken you
might want to pick up stephen northcutt's book "network intrusion
detection, an analyst's handbook." the book has detailed examinations of
remote exploit signatures and scans... very informative. a second edition
was released recently that's almost twice as thick. i've tried to get
through the whole thing a few times, but usually wake up a few hours
later with drool on the book.
> I apologize if these questions are a little detailed, but I am seriously
> considering installing it, and I thought a little learning up front may help me
> get better mileage.
no problem. glad to help.
=jay
------
"I did nothing, absolutely nothing. And
it was everything I thought it could be."
More information about the LUAU
mailing list