SNORT <=> IPTABLES

aside from snort_inline and fwsnort are there any other apps to proactively
prevent security hacks, scans, attempts?

---------------------------------------------------------------------------
Inetbizonline.com Web Hosting Service
Denver Prophit Sys Admin
---------------------------------------------------------------------------

Denver Prophit wrote:

> aside from snort_inline and fwsnort are there any other apps to
> proactively prevent security hacks, scans, attempts?
>
>
---------------------------------------------------------------------------
> Inetbizonline.com Web Hosting Service
> Denver Prophit Sys Admin
>
---------------------------------------------------------------------------

IPTables: firewall
Snort: intrusion detection

Their roles are very different.

--
Q: Why do firemen wear red suspenders?
A: To conform with departmental regulations concerning uniform dress.

Yes I know this. I would like to know if it's worth taking alerts from snort
and automatically write a rule in iptables to block the offending hacker,
scanner
>"NeoSadist" <neosad1st@charter.net> wrote in message
news:10hsptum49ru4a9@corp.supernews.com...
> IPTables: firewall
> Snort: intrusion detection
>
> Their roles are very different.
>
> --
> Q: Why do firemen wear red suspenders?
> A: To conform with departmental regulations concerning uniform dress.
>

"Denver Prophit" <denverp@cox.nospam.net> wrote in message news:<aQtTc.9156$xs.1580@okepread02>...
> Yes I know this. I would like to know if it's worth taking alerts from snort
> and automatically write a rule in iptables to block the offending hacker,
> scanner
> >"NeoSadist" <neosad1st@charter.net> wrote in message
> news:10hsptum49ru4a9@corp.supernews.com...
> > IPTables: firewall
> > Snort: intrusion detection
> >
> > Their roles are very different.
[snip]

I highly recommend that you do _not_ do this sort of thing till you
are familiar with snort alerts and understand what may trigger them
under what circumstances. Automated responses to false positives cuts
legit traffic and automated rules can itself offer a means of clogging
your tables with junk.

Use snort, watch the logs, understand what it's doing and _understand_
how you can properly respond. Once you get this comfortable, then you
can explore automated responses. This is not an area you want to
shotgun -- you really need a laser to effectively _begin_ to use IDS.

That said, there are _some_ automated responses you can try, but you
_must_ continue (even more so) to watch your logs _and_ your netfilter
tables to be sure you know it's working. There is a real danger that
you will fool yourself about the strength of your efforts only to find
that a competent cracker has "hidden" behind a well chosen list of
diversionary triggers -- you're busy looking left, he's busy sneaking
in to your right.

If your primary purpose is to learn about snort/IDS then doing it
"manually" will teach you much more than automation as it will force
you to watch your logs and get familiar with the traffic in your
neighborhood -- you may even learn _how_ to recognize unfriendly
activity and the different ways people try to sneak in.

one person's thoughts,
prg
email above disabled

Denver Prophit wrote:
> aside from snort_inline and fwsnort are there any other apps to proactively
> prevent security hacks, scans, attempts?
>
> ---------------------------------------------------------------------------
> Inetbizonline.com Web Hosting Service
> Denver Prophit Sys Admin
> ---------------------------------------------------------------------------
>
>

Consider:
1. Spoofed IPs such as www.google.com that you would block.
2. Nmap scans are detected, but Nmap can use "1 - infinity"
different IPs when scanning to hide the scanner's true IP : These
will be blocked


Since I could scan your system with 1000 valid src. IPs and those would
be blocked, I don't think it is always a good idea to auto-block IP
addresses.

However, using Snort, you could use its "rate limiting" to some benefit.

rcr

Denver Prophit wrote:
>
> aside from snort_inline and fwsnort are there any other apps to proactively
> prevent security hacks, scans, attempts?

Snort is not proactive.

Snort uses rules that are written to protect against known
attacks. It cannot protect against new attacks and is
theerefore totally reactive.

Erik

--
+-----------------------------------------------------------+
Erik de Castro Lopo nospam@mega-nerd.com (Yes it's valid)
+-----------------------------------------------------------+
"I want to make sure (a user) can't get through ... an online
experience without hitting a Microsoft ad."
- Microsoft CEO, Steve Ballmer on the Microsoft search engine.

Can you elaborate to a newby?

"Randy Ramsdell" <me@somewhere.else> wrote in message
news:CJudnf6_QPpCfoPcRVn-jg@comcast.com...
> However, using Snort, you could use its "rate limiting" to some benefit.

Denver Prophit wrote:
> Can you elaborate to a newby?
>
> "Randy Ramsdell" <me@somewhere.else> wrote in message
> news:CJudnf6_QPpCfoPcRVn-jg@comcast.com...
>
>>However, using Snort, you could use its "rate limiting" to some benefit.
>
>
>

Weird, my message you responded to doesn't show up in the thread. I
thought it never made it to the list.

Anyway, I am not sure if this technique will help and I don't know alot
about it. Just look up Snort's "connecton limiting" feature. google it.
It may be of no use. Also, I probably am not 100% sure what you are
trying to accomplish.

rcr