[Snort-users] combination of snort & ipchains

Jason Haar Jason.Haar at ...294...
Tue Jan 16 17:38:50 EST 2001


On Wed, Jan 17, 2001 at 12:13:07AM +0100, Gregor Binder wrote:
> An advantage with regards to the script that Jason is going to provide,
> is that you would be able to do a full capture of blocked attacks, scan
> the traffic for actual signatures, basically use all the snort features
> on it.

Absolutely - my script won't be able to pull attach signatures out of thin
air. Basically it will make a new buch of "signatures" that are merely port
number/acl number matches.

The only "proper" way of doing what people want here is to put in another
Ethernet card connected to the same hub (or monitored switch) as the former,
put no IP address on it and run snort on that.


-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list