[Snort-users] Snort and ipchains

Bob McDowell bmcdowell at ...7861...
Tue Jan 7 13:15:02 EST 2003


I, for one, am on the 'every little bit helps' list.  Any device may fail/be
exploited/be misconfigured.  Its all about layers.  If I'm going to have
snort alert, why not have it interfere also?  Obviously I plan on thinking
worst case and configure all devices accordingly (so they might last ten
seconds if there were no firewall at all), but for the price why not try and
leverage snort also?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Matt
Kettler
Sent: Tuesday, January 07, 2003 12:09 PM
To: kb at ...7827...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and ipchains


I noticed this one went unanswered on the list.. so..

Snort is not intended to be a firewall, it is intended to be an intrusion
sensor.

There are several tools, such as hogwash, snort-inline, and snortsam that
are intended to allow snort alerts to dynamically re-configure your
IPchains/IPTables firewall.

Personally, I'm a strong proponent of the "have a properly laid out
firewall and properly patched servers in the first place. Don't rely on
your IDS to try to secure your network, use it for forensics and to
recognize what areas of your network are being probed the most frequently
and thus need the closest attention" type approach. I also like to keep my
snort box heavily isolated from other systems so I can trust the data on
it, even if the firewall or servers in the DMZ are breached. But others
like the idea of extending snort to auto-configure their firewalls.

The major drawbacks I see to integrating snort into your firewall are:
          -it may create a strong false sense of security, and encourage
not paying careful attention to firewall configuration.
          -your firewall is now only as secure as your snort box, and many
are not capable of securing a general purpose unix system well enough to
make it secure enough to use as a firewall component. Judge your abilities
carefully here and be paranoid about locking it down.


At 12:23 PM 1/3/2003 -0800, "Kevin Brown" wrote:
>so for most security, do i run ipchains/tables and snort?
>I want bad packets to be stopped before they comein the front door,
>does snort do that?
>kevin
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030107/035f644a/attachment.html>


More information about the Snort-users mailing list