From owner-freebsd-security Tue Feb 13 10:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 558F037B491 for ; Tue, 13 Feb 2001 10:48:00 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f1DJAgr96157; Tue, 13 Feb 2001 13:10:42 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 13 Feb 2001 13:10:42 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, H. Wade Minter wrote: > Does snort work well with ipfw. Maybe I'm thinking of it wrong, but > wouldn't I have to let the traffic into the firewall so snort could deal > with it? yes and no, only let valid ports through for programs you are running, then let snort look at the valid packets for futher inspection. See what I mean? Why waste time looking at traffic for invalid ports? Run the firewall in front of snort, so the firewall removes useless crap, then let snort look at valid traffic, ex port 80 webserver stuff, and decide if it is a valid GET / or invalid exploit attempt. This way you get the best of both worlds. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message