[Snort-users] multiple questions

Michael Steele michaels at ...9077...
Mon Sep 29 15:06:02 EDT 2003


Raymond,

Snort is an IDS (Intrusion Detection System) not an IPS (Intrusion
Prevention System). Snort is an IDS where a firewall is an IPS.

Snort in its native form is not capable of blocking.

A firewall is your first line of defense. Snort has never had anything that
was ever reliable enough to block traffic effectively and reliably.

Snort is the best IDS out there as far as I know, but it's a lousy IPS,
which it was never designed to be.

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels at ...9077...    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: Raymond Norton [mailto:admin at ...10144...] 
Sent: Saturday, September 27, 2003 8:03 PM
To: Michael Steele
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] multiple questions

OK, point taken.


First question:


As a novice I am not clear if the new install I just did according to the
redhat docs has a way of blocking the traffic that I get alerts on. I use
quite a few IPCop boxes with snort that block everything they log. This is
what I was hoping to accomplish when I did my new install. I see now that it
alerts, but does not stop the traffic. I read the FAQ, and see that there
are some other programs that build rules on the fly when an attack is
perceived.  I am not sure if it is necessary to implement these programs, or
if there is something in snort I can turn on to do this. I have read some
pros and cons on this, but feel in my current circumstance I would like to
block unwanted traffic.



----- Original Message ----- 
From: "Michael Steele" <michaels at ...9077...>
To: "'Raymond Norton'" <admin at ...10144...>; <Snort-users at lists.sourceforge.net>
Sent: Saturday, September 27, 2003 8:53 PM
Subject: RE: [Snort-users] multiple questions


> Raymond,
>
> I don't have any policy setting authority and I'm just a mouse among the
> many, but this list is not designed to solicit off site free help. There
is
> only one person benefiting for the knowledge that you may get and the list
> is used for the many.
>
> Now if you are soliciting to hire a Security Consult, well that is
> acceptable because you would paying for the service. If you are looking
for
> a Security Consultant then by all means leave me a private email and give
> you a number to call.
>
> A good idea would be to outline your questions and then start posting them
> in the order of importance. They need to be specific to Snort. Might not
be
> a good idea to flood the list all at one time with a bunch of questions.
>
> Cheers...
>
> -Michael Steele
> -- 
>  System Engineer / Security Support Technician
>  mailto:michaels at ...9077...
>  Website: http://www.winsnort.com
>  Snort: Open Source Network IDS - http://www.snort.org
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Raymond
Norton
> Sent: Friday, September 26, 2003 7:55 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] multiple questions
>
> I have a number of questions about implementing snort specific to my
> network.  I  would like to correspond via email with someone that feels
> comfortable with implementing snort on a WAN.
>
> Some of my questions concern policy routing, blocking traffic vs.
alerting,
> and rules specific to my network.
>
> If you can be of assistance please send me an email.
>
>
> Raymond Norton
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>







More information about the Snort-users mailing list