[Snort-users] difference between the capability of snort and a dynamic firewall!??!?!!?

Matt Kettler mkettler at ...4108...
Wed Aug 14 07:31:03 EDT 2002


Firewalls are intended to block traffic, and log events.

Intrusion detection systems are intended to have an extensive database of 
intrusion signatures and log the attempts so you can use them to improve 
your firewall rules, and as forenzic information when a successful 
intrusion occurs.

Intrusion detection systems are *NOT* intended to be a 
first-line-of-defense against network intrusion, merely analysis of them. A 
carefuly planed out firewall ruleset is infinitely better than any dynamic 
ruleset that snort can wind up creating via tools like hogwash, but tools 
like hogwash make a great second-line for cases where the firewall fails to 
prevent an attack.

Picture a firewall as a lock, and snort as an alarm system.. If the alarm 
goes off you can have it activate locks in the building, and call the 
police, but locking your door in the first place is a better idea. The 
alarm is there for when the lock fails and is not a first-line of defense.

At 06:31 AM 8/14/2002 -0700, funky wrote:

>Hi,
>
>What's the fondamental difference between Intrusion
>Detection Systems and a firewall!?!?!?
>
>- I know that we can log the attempts that matches
>with the rules with snort and later if you see an
>attack in log , you can add some rules related to the
>firewall
>- we can look an the content (we can do that in
>dynamic(proxy) firewalls also!!)
>- We can make a dynamic rule match, what it is
>for?!?!? There isn't any dynamic rules in standart
>ruleset!?!??! Is it a difference from standart
>firewall?!?! if, what!??!
>
>thanx
>
>funky
>Istanbul
>
>__________________________________________________
>Do You Yahoo!?
>HotJobs - Search Thousands of New Jobs
>http://www.hotjobs.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list