29 messages in org.freebsd.freebsd-securityRe: Which intrusion detection to use?| From | Sent On | Attachments |
|---|---|---|
| Dave Raven | Jan 13, 2002 10:35 am | |
| Simon Siemonsma | Jan 13, 2002 11:00 am | |
| admin | Jan 13, 2002 11:26 am | |
| Krzysztof Zaraska | Jan 13, 2002 12:07 pm | |
| Haikal Saadh | Jan 14, 2002 6:46 am | |
| Krzysztof Zaraska | Jan 14, 2002 7:26 am | |
| Lee Brotherston | Jan 14, 2002 7:29 am | |
| Haikal Saadh | Jan 14, 2002 8:23 am | |
| Haikal Saadh | Jan 14, 2002 8:26 am | |
| Asep Ruspeni | Jan 22, 2002 12:05 am | |
| Bart Matthaei | Jan 22, 2002 12:10 am | |
| Roger 'Rocky' Vetterberg | Jan 22, 2002 12:17 am | |
| Camelia NASTASE | Jan 22, 2002 12:24 am | |
| Bart Matthaei | Jan 22, 2002 12:26 am | |
| Asep Ruspeni | Jan 22, 2002 1:38 am | |
| Alfred Perlstein | Jan 22, 2002 2:08 am | |
| Bart Matthaei | Jan 22, 2002 2:28 am | |
| Thomas T. Veldhouse | Jan 22, 2002 8:01 am | |
| Ralph Huntington | Jan 22, 2002 8:10 am | |
| Bart Matthaei | Jan 22, 2002 8:11 am | |
| Thomas T. Veldhouse | Jan 22, 2002 8:12 am | |
| Chris Thomas | Jan 22, 2002 8:17 am | |
| Jeremy A. Mates | Jan 22, 2002 9:20 am | |
| Lawrence Sica | Jan 22, 2002 9:45 am | |
| Lawrence Sica | Jan 22, 2002 9:47 am | |
| Lawrence Sica | Jan 22, 2002 9:49 am | |
| Morten Grunnet Buhl | Jan 22, 2002 6:54 pm | |
| Asep Ruspeni | Jan 22, 2002 7:09 pm | |
| Gerhard Sittig | Jan 23, 2002 11:04 am |
| Subject: | Re: Which intrusion detection to use? | |
|---|---|---|
| From: | Krzysztof Zaraska (kzar...@student.uci.agh.edu.pl) | |
| Date: | Jan 14, 2002 7:26:30 am | |
| List: | org.freebsd.freebsd-security | |
On Mon, 14 Jan 2002 19:46:38 +0500 "Haikal Saadh" <wyld...@yahoo.com> wrote:
*snip*
I don't know how tight your particular setup is, but if you deny access to all unused ports to the world there will be no use in PortSentry since the offending packets will never his the port PortSentry is listening on. Snort does not care about firewalls, so just tell it to listen on outside interface and you're set.
I have been thinking about this a bit lately. I am (was until I broke it this morning upgrading to 1.8.3, blast it!) running snort and ipfw, and while I would get ipfw dropping packets in my logs, I have nothing in my snort alerts from my outside network. (Quite a few from the inside though, mostly malformed NetBIOS packets and other mostly harmless (as far as I'm concerned) traffic).
My firewall policy is default deny, but with dynamic rules so that I can actually use stuff. My snort's HOMENET is set to any, and I'm on dialup.
What I'd like to someone to clarify for me is: Is snort actually seeing incoming packets on my outside interface, and I've been really lucky so far OR Is snort not hearing anything on my outside interface? (tun0)
From my experience snort will not catch much in this setup. If you deny anything
you are virtually invisible for kiddiez out there. They usually sweep large
networks looking for alive hosts and then look closer at those who are alive.
But if you deny everything you are a dead host for them. These sweep scans are
not detected by snort, since it does not trigger on single SYN or PING packet.
And you do not have any services running, so no exploits are tried on you.
Snort is libpcap based, so if tcpdump -i tun0 works for you snort should see
packets also...
There is a simple test: just portscan your box from the remote computer. This
should trigger alert.
[...]
Krzysztof
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message