[Snort-users] os x single user

Donna dm87 dm87 at ...5839...
Sat Nov 15 10:35:24 EST 2003


Is it appropriate, or desirable to run and learn Snort on my setup?

I am using snort (installed w HenWen) on a Macintosh running OS X, a 
single user machine and the only machine on my small home network 
that runs UNIX.  The OSX machine has one nic card connected to cable 
and a second connected to a hub.  All other machines are connected to 
the OS X machine by the hub.  The OSX machine acts as a router.  The 
router software is started up on a "need to" basis, which is seldom.

The OS X machine occasionally has Personal Web Sharing enabled, and I 
have Apache, MySQL and PHP installed for learning and testing 
purposes.  When I do this port 80 and port 427 are opened.

Since installing HenWen and Snort I have not enabled Personal Web 
Sharing, so any alerts are in an environment where the default OS X 
firewall is fully enabled.

There are quite a few alerts listed in the logs, mostly ICMP PING 
Cyberkit 2.2 Windows, which is is likely some sort of virus or trojan 
query, from what I can gather.

Today I have noticed quite a few "ATTACK-RESPONCES id check returned 
root" (port 80), which sounded rather ominous to a beginner.  My 
reading indicates that this could be a result of visiting certain web 
pages, particularly those dealing with security issues.  That would 
make sense, I have been dithering about trying to find a toe hold on 
understanding this stuff and perhaps one of the sites I visited 
triggered this alert.

thanks
Donna dm87




More information about the Snort-users mailing list