From owner-freebsd-security Mon Jan 14 8:27:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp015.mail.yahoo.com (smtp015.mail.yahoo.com [216.136.173.59]) by hub.freebsd.org (Postfix) with SMTP id 540E837B41C for ; Mon, 14 Jan 2002 08:27:26 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.64) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 16:27:24 -0000 From: "Haikal Saadh" To: "'Krzysztof Zaraska'" Cc: Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 21:27:11 +0500 Message-ID: <000101c19d18$57401d00$40c801ca@warhawk> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: <20020114162652.7ba2a6d4.kzaraska@student.uci.agh.edu.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of > Krzysztof Zaraska > Sent: Monday, January 14, 2002 8:27 PM > To: Haikal Saadh > Cc: freebsd-security@freebsd.org > Subject: Re: Which intrusion detection to use? > > > On Mon, 14 Jan 2002 19:46:38 +0500 > "Haikal Saadh" wrote: > > > *snip* > > > > > I don't know how tight your particular setup is, but if you deny > > > access to all unused ports to the world there will be no use in > > > PortSentry since the offending packets will never his the port > > > PortSentry is listening on. Snort does not care about > firewalls, so > > > just tell it to listen on outside interface and you're set. > > > > > > > I have been thinking about this a bit lately. I am (was > until I broke > > it this morning upgrading to 1.8.3, blast it!) running > snort and ipfw, > > and while I would get ipfw dropping packets in my logs, I > have nothing > > in my snort alerts from my outside network. (Quite a few from the > > inside though, mostly malformed NetBIOS packets and other mostly > > harmless (as far as I'm concerned) traffic). > > > > My firewall policy is default deny, but with dynamic rules > so that I > > can actually use stuff. My snort's HOMENET is set to any, > and I'm on > > dialup. > > > > > > What I'd like to someone to clarify for me is: > > Is snort actually seeing incoming packets on my outside > interface, and > > I've been really lucky so far > > OR > > Is snort not hearing anything on my outside interface? (tun0) > From my experience snort will not catch much in this setup. > If you deny anything you are virtually invisible for kiddiez > out there. They usually sweep large networks looking for > alive hosts and then look closer at those who are alive. But > if you deny everything you are a dead host for them. These > sweep scans are not detected by snort, since it does not > trigger on single SYN or PING packet. And you do not have any > services running, so no exploits are tried on you. > > Snort is libpcap based, so if tcpdump -i tun0 works for you > snort should see packets also... > > There is a simple test: just portscan your box from the > remote computer. This should trigger alert. > > [...] > Yah, tcpdump works fine, I used to use it all the time when first setting up the box to see how squid and bind were behaving. I'll try portscanning myself from the outside to see what happens when I get back to work tomorrow. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message