[Snort-users] Snort and ipchains

Matt Kettler mkettler at ...4108...
Tue Jan 7 10:06:56 EST 2003

I noticed this one went unanswered on the list.. so..

Snort is not intended to be a firewall, it is intended to be an intrusion 

There are several tools, such as hogwash, snort-inline, and snortsam that 
are intended to allow snort alerts to dynamically re-configure your 
IPchains/IPTables firewall.

Personally, I'm a strong proponent of the "have a properly laid out 
firewall and properly patched servers in the first place. Don't rely on 
your IDS to try to secure your network, use it for forensics and to 
recognize what areas of your network are being probed the most frequently 
and thus need the closest attention" type approach. I also like to keep my 
snort box heavily isolated from other systems so I can trust the data on 
it, even if the firewall or servers in the DMZ are breached. But others 
like the idea of extending snort to auto-configure their firewalls.

The major drawbacks I see to integrating snort into your firewall are:
          -it may create a strong false sense of security, and encourage 
not paying careful attention to firewall configuration.
          -your firewall is now only as secure as your snort box, and many 
are not capable of securing a general purpose unix system well enough to 
make it secure enough to use as a firewall component. Judge your abilities 
carefully here and be paranoid about locking it down.

At 12:23 PM 1/3/2003 -0800, "Kevin Brown" wrote:
>so for most security, do i run ipchains/tables and snort?
>I want bad packets to be stopped before they comein the front door,
>does snort do that?
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list