[Snort-users] VDQ: Snort basic
mkettler at ...4108...
Mon Aug 5 10:50:10 EDT 2002
Snort isn't really a "defense" per se, it's more of a intrusion attempt
detection/logging tool that you can use to give you a "heads up" to various
pokes and prods at your network. In the event of an actual network
intrusion snort can provide valuable forensics that alert you to the
problem, and give you a general idea of what machine was attacked (provided
the snort box itself is not comprimized).
For "defense", as in network traffic blocking, linux comes with an
in-kernel firewall. The tool you use to configure it is called iptables, or
ipchains in the case of older 2.2.x series kernels. Using this tool you can
create general rules to filter inbound and outbound traffic, such as
blocking all inbound icmp echo requests to broadcasts, etc.
Of course, an even more important aspect of defense is not to be running
services that will need firewalling in the first place, so unless you need
them, make sure you aren't running sendmail as a daemon, shut down bind,
portmapper, nfsd, ypbind, remote access linuxconf, lpd, and all that other
miscellaneous publicly accessible service garbage that redhat tends to turn
on by default unless you specify a high security install. Then use iptables
to have the linux box defend the machines running behind it.
You might want to read the LDP's quickstart howto on securing redhat boxes:
Section 5.2 covers iptables.
At 12:05 PM 8/5/2002 -0400, Beartooth wrote:
> All I know about it is what I've read on novalug in the
>last couple of days. I ran ZoneAlarm under W98 on my other hard
>drive long enough before getting linux to know that merely being an
>inconspicuous user on a home machine doesn't protect from sundry
>intrusion attempts that I don't begin to understand; so now I ought
>to have some sort of defense, but don't know what I can hope to
>handle, or even find straight up about. Is Snort such a thing, or
>am I out of my league as usual?
>Beartooth the Stubborn <karhunhammas (at) lserv.com>, double retiree,
>linux hatchling w/ RH 7.2; ssh'd (DSL) to pine 4.43 on ISP's SunOS 5.8;
>Opera 6.02, Pan 0.11.2, Galeon 1.2.5, & Mozilla 1.0
>standard disclaimer : Keep in mind that I have no idea what I am talking
More information about the Snort-users