[Snort-users] a couple of questions
legian at ...10737...
Fri Dec 12 00:02:01 EST 2003
Ok, it seems I haven't put my question properly...
I was wondering about how to secure TCP port 2525 which is open in the server (snort agent+snortcenter+acid+mysqld+apache) and not through pc's running snort.So I can rephrase my question about securing the "miniserv" which listens in TCP port 2525 and whether it could be compiled with libwrap support so as to be "secured" from the hosts.allow file.
Thanks again for the answers and sorry for the incorrect placement of the questions.. :(
On Thu, Dec 11, 2003 at 11:47:24AM -0500, Matt Kettler wrote:
> At 07:04 AM 12/11/2003, Giannakis Eleftherios wrote:
> >i would like to ask a couple of things:
> >first of all, I would like to know whether snort can work with TCP
> >wrappers (compiled with libwrap) because I couldn't find this option in
> >snort 2.0.5 compilation and secondly, how can we protect the TCP 2525 port
> >on a snort center server?
> >Generally if anyone can write which ports should one protect to be safe
> >enough in the open space-hmm Internet I mean :)
> Tcp_wrappers is a tool to control access to ports in programs that accept
> connections... snort never opens sockets to accept connections in the first
> place. Thus, wrappers would be irrelevant to snort. It would be completely
> pointless to support librwap in snort.. it's a sniffer.
> In general snort operates by using libpcap to pick up packets. It does not
> use the IP stack, it does not bind sockets, it does not "listen" in the
> same manner that server daemons like webservers do.
> Instead libpcap scrapes off a copy of every packet coming in from the
> ethernet driver and passes them to snort. This happens in parallel with the
> copy that is sent to the IP stack. Thus, this happens irrespective of local
> firewall rules, stack behaviors, and anything else that is "higher level"
> than the ethernet driver itself.
> What's tcp/2525 for? This doesn't sound like anything snort related to me.
> AFAIK that's the port used by ms-vworlds...
' There's no place like 127.0.0.1 '
More information about the Snort-users