Home page logo
/

basics logo Security Basics mailing list archives

Re: Snort as Firewall (WinXP)
From: Tony Barry <tony () no-bull co nz>
Date: Tue, 31 Jan 2006 10:30:23 +1300

Good decision re Linux and its not so difficult now. I would suggest
Fedora (I'm using Core 3) as it is an SELinux enabled distro and fairly
bleeding edge. Really informative install guides are at
http://fedoranews.org/mediawiki/index.php/Stanton_Finley

and

http://www.howtoforge.com/perfect_setup_fedora_core_3

It has software RAID. If you would like to use this it's very easy to
set up during installation.
There is a vast amount of help available on line.

http://www.linuxhomenetworking.com/#Linux%20Main

is an excellent starting point.

Good luck


On Sun, 2006-01-29 at 16:45 +0530, Neil wrote:
Yeah, well, in all my readings and largely from the mail on this list,
I've come to the conclusion that Snort definitly won't give me
iptable-functionality on a windows box.

My solution is one I should've done a while ago: start using linux.  Of
course, thats much harder than it sounds, but we'll see how it turns out.

Thanks to the list for all the help.

Cheers,
Neil

On 1/26/2006 3:02 AM, coder wrote:
I should probably add that the only two ways I know of making snort into an
IPS;
is by either using snort-inline, which would require IPTables (and this is a
windows question) or
using "flex response" (not sure if this comes with the windows version of
snort), the downfall of flex response
is that is just sends an RST packet to break the connection (this however
does not stop the attacker from re-connecting)
also, you would have to write your own rules such as:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?";
nocase;resp:rst_snd;)

(you can see the rst_snd at the end)

but, as "shrek-m" and I (in my earlier email) said, snort cannot really be
used as a firewall.

Regards,

Davie

----- Original Message ----- 
From: <shrek-m () gmx de>
To: <security-basics () securityfocus com>
Sent: Tuesday, January 24, 2006 10:17 PM
Subject: Re: Snort as Firewall (WinXP)


Neil wrote:

From what I've read, a couple people have tried, but most people were of
the opinion to use Snort as an IDS, and have a separate firewall.


bingo.

If anyone has done it, do you recommend it? Why/why not?
For those who are against using it as a firewall, again, why?

"snort"  iirc is a ids/ips  and  no firewall
http://www.snort.org/

eg.  "iptables"  iirc is a firewall  and no ids/ips
http://iptables.org/

-- 
shrek-m

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
-- 
Tony Barry

No Bull Services
PO Box 51528
Pakuranga
Auckland

021 413642
09 5768552

http://www.NO-BULL.CO.NZ
*************************************************************************

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the addressee/s.
If you have received this e-mail in error please notify the sender.

************************************************************************* 

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]