[Snort-users] newbie questions

Martin Roesch roesch at ...421...
Fri Apr 6 23:48:26 EDT 2001


Fiona Whelan wrote:
> 
> Hello list,
> 
> I tried posting this earlier without much luck.
> I am new to snort and have a couple of questions:
> 
> 1. I used to use Portsentry as my Intrusion Detection System. Then I
> was told how amaturish portsentry was and that I should switch to
> snort. My question is: how do I get snort to do the same as
> portsentry did.. ie watch ports, and if suspected attack on port,
> block the offending IP address?

Snort doesn't really do "port blocking", you'd have to properly
configure a simple firewall on the box (ipfilter/iptables) to secure it
from casual attackers.  Read the snort.conf file for information on
turning on portscan detection in Snort, check out the "portscan"
preprocessor.

> 2. Does the above mean that I would have to leave eth0 in promiscuous
> mode? My linux box is on a LAN with lots of different users and no
> one would like to think that one of the boxes was in promisc mode
> because they might think that that person was trying to sniff their
> passwords, etc... particulary if they were hacked.

You aren't personally going to be looking at all the traffic, just the
traffic that Snort collects and presents to you for further
examination.  You can use the command line filtering language so that
you only look at traffic headed for your machine, for example "host
<my-ip>" where <my-ip> is the IP address of your machine.

    -Marty

> 
> Thanks for help with the above,
> 
>   _
>  |_
>  |  I O N A
> _____________________________________
> 
> Get your free E-mail at http://www.ireland.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list