[oclug] snort and IDS stuff
bb at L8R.net
Thu Jun 26 17:35:31 EDT 2003
On Thu, 26 Jun 2003 16:15:21 -0400
Trevor Curtis <tcurtis at somaradio.ca> wrote:
> On Thu, Jun 26, 2003 at 07:13:35AM -0400, Bill Strosberg offered:
> > Hi Bruce!
> > IDS boxes are usually located either outside the firewall and/or
> > inside the firewall - they are not generally installed on the
> > firewall. AN IDS in and of itself does not provide any protection -
> > rather it provides a warning of attacks in progress or a log of attcks
> > that have taken place.
> I've seen people suggest putting something like Portsentry, or Snort on
> a firewall. I thought the idea behind that was to catch anything that
> got through the "firewall rules", and alter the admin(s). Is this not
> such a great idea?
Portsentry is definitely something you'd want on the firewall box,
although you need to carefully configure it.
Snort is something you'd want external to the firewall, on a box without
even a valid IP address. You want it to listen and not speak, so it may
remain free after the invading hordes attack.
> Trevor Curtis <tcurtis at somaradio.ca>
> "It don't mean a thing if it ain't got that swing"
> -Duke Ellington
> OCLUG general discussion list
> OCLUG at lists.oclug.on.ca
More information about the OCLUG