[Snort-users] (no subject)

Don Dowling dowling_denis at ...125...
Sun Nov 25 18:32:02 EST 2001


Thanks Chris, I'll take a look at Swatch.

Denis
----- Original Message -----
From: "Chris Green" <cmg at ...671...>
To: "Don Dowling" <dowling_denis at ...125...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, November 23, 2001 8:15 PM
Subject: Re: [Snort-users] (no subject)


> "Don Dowling" <dowling_denis at ...125...> writes:
> >
> > Hi
> >
> > I'm looking at snort as a solution to a problem I've been given.
> > Basically, we have a PCAnywhere machine on our corporate LAN. We want to
> > allow an external company to access this machine for software updates.
> > Obviously this is a security risk so we are looking at solutions that
> > will eliminate this risk. One is to configure a linux firewall with
> > scripts to disable all traffic (except PCAnywhere) using iptables when
> > PCAnywhere traffic is detected and to enable all other traffic when no
> > PCAnywhere traffic is detected.
>
> Why do you allow everything on macvhines without PCAnywhere?
>
> > I'm looking at snort as the means of detecting the traffic but my
> > question is can I configure snort to execute a script that will run
> > iptables to disable all other traffic?
>
> You should write a swatch script to perform the
> http://oit.ucsb.edu/~eta/swatch/ reconfiguration for the "detected
> traffic case".
>
> I think the correct solution though would be to have your admins VPN
> to a local machine and then use PC Anywhere to admin.
> --
> Chris Green <cmg at ...671...>
> Laugh and the world laughs with you, snore and you sleep alone.
>




More information about the Snort-users mailing list