Date: Tue, 13 Feb 2001 13:41:56 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Jon <cykyc@yahoo.com> Cc: "H. Wade Minter" <minter@lunenburg.org>, freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs Message-ID: <Pine.BSF.4.21.0102131329230.92630-100000@cody.jharris.com> In-Reply-To: <20010213190401.12121.qmail@web4502.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Feb 2001, Jon wrote: [snip] > Two concerns with that logic: > > 1. Snort is detective (the 'D' in IDS :); a firewall > is usually preventative (maybe w/ some detection). If > one is preventing the 'attacks', but not knowing that > they're occuring, he might not pick up on patterns of > attacks, depending on the capabilities of the > firewall's logging. That might not be a big deal, but > I'd rather know that someone's knocking on my door > instead of burying my head in the sand... Then span it on the switch...it makes no difference. You can still log packets with ipfw and determine with those logs and the combined snort logs what the person was trying to do. Either technique works fine. If you are not smart enough to determine what the person was trying to do with both logs from ipfw and snort then you don't belong in the security job you are doing. I've had argument in the past with people over this. I don't think it belongs on this list. > > 2. Snort by itself is purely detective. Scripts or > shims need to be put in to it to have it actually > prevent something. Your firewall will allow the > "GET", and snort might not like it, and log it, but > that particular "GET" is going to still happen. With > the proper scripts, this might not be a concern, but > out-of-the-box, it is. The "flex-response" snort module does do this. IMHO, Snort is still far superior (In actual detection) to the IDS's i've used because of the active involvement and opensource flexibility. Nick Rogness <nick@rogness.net> - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0102131329230.92630-100000>