Home page logo
/

basics logo Security Basics mailing list archives

Re: Snort as Firewall (WinXP)
From: "coder" <elite.coder () ntlworld com>
Date: Wed, 25 Jan 2006 21:32:21 -0000

I should probably add that the only two ways I know of making snort into an
IPS;
is by either using snort-inline, which would require IPTables (and this is a
windows question) or
using "flex response" (not sure if this comes with the windows version of
snort), the downfall of flex response
is that is just sends an RST packet to break the connection (this however
does not stop the attacker from re-connecting)
also, you would have to write your own rules such as:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?";
nocase;resp:rst_snd;)

(you can see the rst_snd at the end)

but, as "shrek-m" and I (in my earlier email) said, snort cannot really be
used as a firewall.

Regards,

Davie

----- Original Message ----- 
From: <shrek-m () gmx de>
To: <security-basics () securityfocus com>
Sent: Tuesday, January 24, 2006 10:17 PM
Subject: Re: Snort as Firewall (WinXP)


Neil wrote:

From what I've read, a couple people have tried, but most people were of
the opinion to use Snort as an IDS, and have a separate firewall.



bingo.

If anyone has done it, do you recommend it? Why/why not?
For those who are against using it as a firewall, again, why?


"snort"  iirc is a ids/ips  and  no firewall
http://www.snort.org/

eg.  "iptables"  iirc is a firewall  and no ids/ips
http://iptables.org/

-- 
shrek-m

--------------------------------------------------------------------------
-
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------------------
-





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]