[Snort-users] options for consideration
allan at ...8825...
Wed Apr 23 07:53:48 EDT 2003
Here are my two cents:
I am using RH 7.3 with Netfilter Bridge Patch. I have three nics in my box.
ETH0 and ETH1 are a logical bridge, and that is what I have Snort monitoring
I have IPTABLES running and filtering all packets in and out of my subnet
through the bridge interface. ETH2 is on my clean side of the firewall for
monitoring ACID and so on. Most will think it is overkill, but set up a
second snort box after your firewall. As intrusions come in and SNORT1
alerts, see if SNORT2 shows the intrusions. If not, you know that your
firewall is filtering and Snort is doing its job, which it is very good at.
Once again my two cents,
And this is scenario is only as good as your rules and filters set up.
<mailto:allan at ...8977...>
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission, distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated.
----- Original Message -----
From: "L. Christopher Luther" <CLuther at ...6333...>
To: "'Slighter, Tim'" <tslighter at ...5174...>
Cc: "Snort-Users (E-mail)" <snort-users at lists.sourceforge.net>
Sent: Tuesday, April 22, 2003 4:28 PM
Subject: RE: [Snort-users] options for consideration
> Other than the various "attack response" rules that Snort already uses, I
> don't really think that an additional feature is feasible/possible. How
> would Snort know that an attack succeeded?
> Snort only monitors the actual traffic on a wire, not processes on any
> particular network node. The best it could do would be to see some type
> response from the compromised network device. Hence the "attack response"
> My two cents...
> - Christopher
> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter at ...5174...]
> Sent: Tuesday, April 22, 2003 3:49 PM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] options for consideration
> What are the possibilities of implementing an additional feature into
> that would inform the user if an attack was successful or not?
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users