[Snort-users] os x single user
dm87 at ...5839...
Sat Nov 15 10:35:24 EST 2003
Is it appropriate, or desirable to run and learn Snort on my setup?
I am using snort (installed w HenWen) on a Macintosh running OS X, a
single user machine and the only machine on my small home network
that runs UNIX. The OSX machine has one nic card connected to cable
and a second connected to a hub. All other machines are connected to
the OS X machine by the hub. The OSX machine acts as a router. The
router software is started up on a "need to" basis, which is seldom.
The OS X machine occasionally has Personal Web Sharing enabled, and I
have Apache, MySQL and PHP installed for learning and testing
purposes. When I do this port 80 and port 427 are opened.
Since installing HenWen and Snort I have not enabled Personal Web
Sharing, so any alerts are in an environment where the default OS X
firewall is fully enabled.
There are quite a few alerts listed in the logs, mostly ICMP PING
Cyberkit 2.2 Windows, which is is likely some sort of virus or trojan
query, from what I can gather.
Today I have noticed quite a few "ATTACK-RESPONCES id check returned
root" (port 80), which sounded rather ominous to a beginner. My
reading indicates that this could be a result of visiting certain web
pages, particularly those dealing with security issues. That would
make sense, I have been dithering about trying to find a toe hold on
understanding this stuff and perhaps one of the sites I visited
triggered this alert.
More information about the Snort-users