From owner-freebsd-security Tue Feb 13 11:19:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id B39FB37B65D for ; Tue, 13 Feb 2001 11:19:16 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f1DJfuW97243; Tue, 13 Feb 2001 13:41:56 -0600 (CST) (envelope-from nick@rogness.net) Date: Tue, 13 Feb 2001 13:41:56 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Jon Cc: "H. Wade Minter" , freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs In-Reply-To: <20010213190401.12121.qmail@web4502.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Feb 2001, Jon wrote: [snip] > Two concerns with that logic: > > 1. Snort is detective (the 'D' in IDS :); a firewall > is usually preventative (maybe w/ some detection). If > one is preventing the 'attacks', but not knowing that > they're occuring, he might not pick up on patterns of > attacks, depending on the capabilities of the > firewall's logging. That might not be a big deal, but > I'd rather know that someone's knocking on my door > instead of burying my head in the sand... Then span it on the switch...it makes no difference. You can still log packets with ipfw and determine with those logs and the combined snort logs what the person was trying to do. Either technique works fine. If you are not smart enough to determine what the person was trying to do with both logs from ipfw and snort then you don't belong in the security job you are doing. I've had argument in the past with people over this. I don't think it belongs on this list. > > 2. Snort by itself is purely detective. Scripts or > shims need to be put in to it to have it actually > prevent something. Your firewall will allow the > "GET", and snort might not like it, and log it, but > that particular "GET" is going to still happen. With > the proper scripts, this might not be a concern, but > out-of-the-box, it is. The "flex-response" snort module does do this. IMHO, Snort is still far superior (In actual detection) to the IDS's i've used because of the active involvement and opensource flexibility. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message