Intrusion Detection - Snort
mmc at mmc.com.au
Mon Dec 16 15:38:04 CST 2002
You really want to be VERY VERY careful about proactive stuff.
eg. What if I start flooding you with icmp packets which are supposedly from
one of your more important client's email servers? It'll drop a rule in
blocking from the machine .. no email from client.
Personally, I don't see the risk is worth it:
- adding rules doesn't prevent traffic getting to you and thus costing you
money or degrading link performance.
- it shouldn't stop anymore things that aren't already being stopped by your
- most of the issue can be dealt with by using ratelimiting options on
iptables which is really what you want anyway.
On Mon, 16 Dec 2002, Matthew Western wrote:
> Hi All,
> I've got snort going nicely and seeing all kinds of bad stuff when i test
> it. My question does anyone on this list have the snort server do anything
> proactive? i'm sure it would be possible to add iptables rules and all
> kinds of other things, but i'm wondering what do others do? seems logical
> to if a CodeRed was seen coming though to add an iptable rule and log that
> you've added a rule... any other ideas?
Matthew at Moyle-Croft.com | mmc at mmc.com.au | mmc at 206gti.net
http://www.Moyle-Croft.com | http://www.mmc.com.au | http://206gti.net
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.openprojects.net
To unsubscribe from the LinuxSA list:
mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject
More information about the linuxsa