Date: Tue, 13 Feb 2001 11:04:01 -0800 (PST) From: Jon <cykyc@yahoo.com> To: Nick Rogness <nick@rogness.net>, "H. Wade Minter" <minter@lunenburg.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs Message-ID: <20010213190401.12121.qmail@web4502.mail.yahoo.com> In-Reply-To: <Pine.BSF.4.21.0102131303490.92630-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Nick Rogness <nick@rogness.net> wrote: > On Tue, 13 Feb 2001, H. Wade Minter wrote: > > > Does snort work well with ipfw. Maybe I'm > thinking of it wrong, but > > wouldn't I have to let the traffic into the > firewall so snort could deal > > with it? > > yes and no, only let valid ports through for > programs you are > running, then let snort look at the valid packets > for futher > inspection. See what I mean? Why waste time > looking at traffic > for invalid ports? Run the firewall in front of > snort, so the > firewall removes useless crap, then let snort look > at valid > traffic, ex port 80 webserver stuff, and decide if > it is a valid > GET / or invalid exploit attempt. > > This way you get the best of both worlds. > Two concerns with that logic: 1. Snort is detective (the 'D' in IDS :); a firewall is usually preventative (maybe w/ some detection). If one is preventing the 'attacks', but not knowing that they're occuring, he might not pick up on patterns of attacks, depending on the capabilities of the firewall's logging. That might not be a big deal, but I'd rather know that someone's knocking on my door instead of burying my head in the sand... 2. Snort by itself is purely detective. Scripts or shims need to be put in to it to have it actually prevent something. Your firewall will allow the "GET", and snort might not like it, and log it, but that particular "GET" is going to still happen. With the proper scripts, this might not be a concern, but out-of-the-box, it is. Jon __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010213190401.12121.qmail>