RE: Which intrusion detection to use? - Haikal Saadh - org.freebsd.freebsd-security

29 messages in org.freebsd.freebsd-securityRE: Which intrusion detection to use?

From	Sent On	Attachments
Dave Raven	Jan 13, 2002 10:35 am
Simon Siemonsma	Jan 13, 2002 11:00 am
admin	Jan 13, 2002 11:26 am
Krzysztof Zaraska	Jan 13, 2002 12:07 pm
Haikal Saadh	Jan 14, 2002 6:46 am
Krzysztof Zaraska	Jan 14, 2002 7:26 am
Lee Brotherston	Jan 14, 2002 7:29 am
Haikal Saadh	Jan 14, 2002 8:23 am
Haikal Saadh	Jan 14, 2002 8:26 am
Asep Ruspeni	Jan 22, 2002 12:05 am
Bart Matthaei	Jan 22, 2002 12:10 am
Roger 'Rocky' Vetterberg	Jan 22, 2002 12:17 am
Camelia NASTASE	Jan 22, 2002 12:24 am
Bart Matthaei	Jan 22, 2002 12:26 am
Asep Ruspeni	Jan 22, 2002 1:38 am
Alfred Perlstein	Jan 22, 2002 2:08 am
Bart Matthaei	Jan 22, 2002 2:28 am
Thomas T. Veldhouse	Jan 22, 2002 8:01 am
Ralph Huntington	Jan 22, 2002 8:10 am
Bart Matthaei	Jan 22, 2002 8:11 am
Thomas T. Veldhouse	Jan 22, 2002 8:12 am
Chris Thomas	Jan 22, 2002 8:17 am
Jeremy A. Mates	Jan 22, 2002 9:20 am
Lawrence Sica	Jan 22, 2002 9:45 am
Lawrence Sica	Jan 22, 2002 9:47 am
Lawrence Sica	Jan 22, 2002 9:49 am
Morten Grunnet Buhl	Jan 22, 2002 6:54 pm
Asep Ruspeni	Jan 22, 2002 7:09 pm
Gerhard Sittig	Jan 23, 2002 11:04 am

Subject:	RE: Which intrusion detection to use?
From:	Haikal Saadh (wyld...@yahoo.com)
Date:	Jan 14, 2002 6:46:16 am
List:	org.freebsd.freebsd-security

*snip*

I don't know how tight your particular setup is, but if you deny access to all unused ports to the world there will be no use in PortSentry since the offending packets will never his the port PortSentry is listening on. Snort does not care about firewalls, so just tell it to listen on outside interface and you're set.

I have been thinking about this a bit lately. I am (was until I broke it this morning upgrading to 1.8.3, blast it!) running snort and ipfw, and while I would get ipfw dropping packets in my logs, I have nothing in my snort alerts from my outside network. (Quite a few from the inside though, mostly malformed NetBIOS packets and other mostly harmless (as far as I'm concerned) traffic).

My firewall policy is default deny, but with dynamic rules so that I can actually use stuff. My snort's HOMENET is set to any, and I'm on dialup.

What I'd like to someone to clarify for me is: Is snort actually seeing incoming packets on my outside interface, and I've been really lucky so far OR Is snort not hearing anything on my outside interface? (tun0)

What you've said above suggests the former, but I would appreciate it if someone confirms my suspicions.

*snip*

Does anyone have some recommendations for me.

If this is a NAT gateway that has all ports firewalled from the outside I'd be satisified with the steps described above. Just re-check your firewall rules, since it's your most important line of defense.

You may however (it's your system, anyhow ;-)) consider raising your securelevel and making some files immutable (binaries, configuration) and some other append-only (logs). man securelevel for details.

Other recommendations to increase my security are also welcome?

If you want a good book I'd recommend "Building Internet Firewalls" by Zwicky et al, published by O'reilly and associates,

Also for inspiration, look at: A) /etc/login.access B) /etc/hosts.allow C) /etc/login.conf D) running daemons (like bind,sendmail, and even snort, among others) as their own user/group, and _NOT_ root.wheel.

Well, there are some papers on the subject available on the net, so just do a Google search :) but they mostly focus on multi-user systems and servers. Actually simple setup == less possible points of entry.

I'm afraid that if you exagerrate you may end up with a system generating tons of logs although nothing serious is happening.

To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets