[Snort-users] VDQ: Snort basic

Matt Kettler mkettler at ...4108...
Mon Aug 5 10:50:10 EDT 2002


Snort isn't really a "defense" per se, it's more of a intrusion attempt 
detection/logging tool that you can use to give you a "heads up" to various 
pokes and prods at your network. In the event of an actual network 
intrusion snort can provide valuable forensics that alert you to the 
problem, and give you a general idea of what machine was attacked (provided 
the snort box itself is not comprimized).

For "defense", as in network traffic blocking, linux comes with an 
in-kernel firewall. The tool you use to configure it is called iptables, or 
ipchains in the case of older 2.2.x series kernels. Using this tool you can 
create general rules to filter inbound and outbound traffic, such as 
blocking all inbound icmp echo requests to broadcasts, etc.

Of course, an even more important aspect of defense is not to be running 
services that will need firewalling in the first place, so unless you need 
them, make sure you aren't running sendmail as a daemon, shut down bind, 
portmapper, nfsd, ypbind, remote access linuxconf, lpd, and all that other 
miscellaneous publicly accessible service garbage that redhat tends to turn 
on by default unless you specify a high security install. Then use iptables 
to have the linux box defend the machines running behind it.


You might want to read the LDP's quickstart howto on securing redhat boxes:
http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/index.html

Section 5.2 covers iptables.


At 12:05 PM 8/5/2002 -0400, Beartooth wrote:
>         All I know about it is what I've read on novalug in the
>last couple of days. I ran ZoneAlarm under W98 on my other hard
>drive long enough before getting linux to know that merely being an
>inconspicuous user on a home machine doesn't protect from sundry
>intrusion attempts that I don't begin to understand; so now I ought
>to have some sort of defense, but don't know what I can hope to
>handle, or even find straight up about. Is Snort such a thing, or
>am I out of my league as usual?
>--
>Beartooth the Stubborn <karhunhammas (at) lserv.com>, double retiree,
>linux hatchling w/ RH 7.2; ssh'd (DSL) to pine 4.43 on ISP's SunOS 5.8;
>Opera 6.02, Pan 0.11.2, Galeon 1.2.5, & Mozilla 1.0
>standard disclaimer : Keep in mind that I have no idea what I am talking 
>about.





More information about the Snort-users mailing list