Re: [Snort-users] Bad Traffic, Port 0

Hi,

If snort and iptables are running on the same machine, you allways see those
packets with snort, even if iptables blocks them. Why don't you use a snort
sensor behind the firewalling machine? You will see then if you blocked the
traffic or not.
Anyway, I'm writing my master thesis about security logging... I'll try to
implement the following solution: log all security logs into a database, then
compare the information of the snort sensors with the firewalling logs and
mark all snort alerts that do not have a matching firewall log entry. This is
only part of my master thesis, but I think this can give a tremendous comfort
to sysadmins, as they will have to check a lot less data. All other data is
kept for 'curious' sysadmins or for further checks. I think for instance of a
layered network: one big network with several smaller ones inside: if a type
of traffic is blocked on all firewalls of the smaller networks, why don't
already block it on the outer firewall to? Such things will lead to a
performance gain in the outer network too. But, as I said, this is still on
its way :-)

Greetings,
Erwin Van de Velde
Student of Antwerp University,
Belgium



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users