Home page logo
/

basics logo Security Basics mailing list archives

Re: [Security Basics] Portsentry and Snort
From: Dan DeVoe <ddevoe () zeus netset com>
Date: Fri, 9 May 2003 12:39:42 -0400 (EDT)

Snort and PortSentry serve two entirely different functions. The former is
a Network Intrusion Detection System, the latter is a port scan
detector/responder.

Snort, in my opinion, is primarily useful for sticking on a bridge in
front of the machines you're protecting. Custom patterns combined with
acidlab really does let one sleep better at night. The reason that I
prefer to use snort in a standalone configuration is mainly the curve
between CPU usage and network traffic. YMMV. Snort, though, is definitely
a useful tool.

PortSentry, in addition to apparently not being a supported, developed
product anymore, is of questionable value anyway. A decently strict,
logging iptables setup plus fwlogwatch[0] provides more functionality
(user-configurable response rather than simply throwing up a drop rule).
In addition, fwlogwatch can send out nightly (or another interval)
summary e-mails of logged packets, and generate HTML formatted pages of
the same data.

Should you decide to go with a logging firewall and fwlogwatch, I suggest
you look into ulogd[1] so that you don't clutter your /var/log/messages.

[0]: http://cert.uni-stuttgart.de/projects/fwlogwatch/
[1]: http://gnumonks.org/projects/ulogd

-- 
 Dan DeVoe, System Administrator        | http://www.netset.com
 Ohio NetSet Enterprises, Inc.          | (614) 527-9111
****************************************************************
 -* Opinions herein are the author's and are not necessarily *-
 -* shared by his employer, though they certainly should be. *-
****************************************************************

On Thu, 8 May 2003, sjm wrote:

Date: Thu, 08 May 2003 10:57:32 -0400
From: sjm <sjm () porter acadaff appstate edu>
To: security-basics () securityfocus com
Subject: [Security Basics] Portsentry and Snort

Should I install both portsentry and snort on my server?  I have read so many
articles that praise one and knock the other that I don't know what to do.

Thanks for you time,

/*-----------------------------*\
|                               |
|    Steve McKinney             |
|    ARDI - Web Programmer      |
|    sjm () porter appstate edu    |
|    (828) 262-6553             |
|                               |
\*-----------------------------*/


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]