Thomas,
>thought Snort was capable of dropping packets based on the snort
>ruleset... am I wrong?
Basically yes, you are wrong.
Snort captures packets using libpcap and runs them through a ruleset to
decide weather they could contain suspicious traffic, if it matches anything
an alarm will be created. You can then review the alarms (or have an
automated tool to do this for you) and decide on the action to take.
Consider this...
(Internet)------|hub|
|-------|firewall|-------|hub|
| |
|-------|snort| |---|snort|
|
|---|internal lan|
Your firewall (should) block access to all ports excluding specific ones
that you specify, therefore if you have TCP:80 open for a web server, you
are allowing any traffic (including exploit code) through the wall. Snort
would pick this up and let you know. Remember to make sure that if you have
a sensor external to your firewall it is secure, but that's another
conversation.
>Does anyone have any in depth installation and config tutorials?
>Snort.org has a few, but nothing I can make good use of.
There are many documents about setting up snort out there, and to be
honest if you are accustomed to compiling software on UNIX asked systems you
will not have problems installing snort.
As far as configuration goes, the config file itself (snort.conf) has a
great many comments describing what everything does.
If you get really stuck, you could take a look at a document about setting
up a honeypot I wrote a while ago, it touches on snort a little.
http://62.231.147.171/nard/Honeypot1.htm
Good luck,
Leon ward
aka nard
Please direct replies to: [EMAIL PROTECTED]
-----Original Message-----
From: Thomas Madhavan [mailto:[EMAIL PROTECTED]]
Sent: 29 May 2002 21:13
To: Leon Ward
Cc: [EMAIL PROTECTED]
Subject: Re: Snort or Ethereal for a relative newbie?
I thought Snort was capable of dropping packets based on the snort
ruleset... am I wrong? Is that performed only by the firewall?
I realise Ethereal is only for listening to what's happening.
Does anyone have any in depth installation and config tutorials?
Snort.org has a few, but nothing I can make good use of.
I'll check out silicondefense... although I'm not on any MS product -
Mandrake Linux 8.2
Regards,
Thomas Madhavan
Leon Ward wrote:
>It seams that you are thinking on slightly along the wrong lines here,
>Snort and Ethereal capture packets and do not do not block anything.
>Snort has the capability to inspect packets against a set of rules and
>report accordingly (alert on suspicious traffic). Ethereal captures
>packets for the purpose of allowing a user to inspect what is going on
>the "wire".
>
>As far as the snort compiling problems go, check that the directory
>that libpcap installed its libraries into is listed in your
>/etc/ld.so.conf file.
>
>Try installing both libpcap and snort from source, you will get more
>installation options.
>
>Nard
>
>
>
>-----Original Message-----
>From: Thomas Madhavan [mailto:[EMAIL PROTECTED]]
>Sent: 25 May 2002 15:29
>To: [EMAIL PROTECTED]
>Subject: Snort or Ethereal for a relative newbie?
>
>
>Hi all. Responses have been good before so I thought I'd try again.
>
>I've recently set up a Mandrake 8.2 workstation. I've used firestarter
>to build a firewall, and I want to use a packet sniffer.
>
>After installing Snort, it didn't work due to a data type 113 error. I
>uninstalled it, then reinstalled from an RPM, but apparently I don't
>have libpcap installed (which I do).
>
>So, I tried Ethereal and it works fine. However, can rulesets be
>applied to Ethereal as they can with Snort? I want a little extra
>security, not just logs of packets.
>
>If Ethereal *can* be used to block packets, is it a good substitute for
>snort? Or would I benefit from using Snort instead? There also seem to
>be a lot of snort reporting tools - are there any for Ethereal?
>
>Thanks a lot,
>
>Thomas Madhavan
>
>
>
>
>This E-mail and its attachments have been scanned for viruses before
>delivery. For more information contact
>[EMAIL PROTECTED]
>
>This E-mail and its attachments have been scanned for viruses before
>delivery. We recommend that all attachments are also checked by
>recipients before being viewed. For more information contact
>[EMAIL PROTECTED]
>
>
This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact [EMAIL PROTECTED]
This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact [EMAIL PROTECTED]
