Intrusion Detection - Snort

Matthew Moyle-Croft mmc at mmc.com.au
Mon Dec 16 15:38:04 CST 2002


You really want to be VERY VERY careful about proactive stuff.

eg. What if I start flooding you with icmp packets which are supposedly from 
one of your more important client's email servers?  It'll drop a rule in 
blocking from the machine .. no email from client.

Personally, I don't see the risk is worth it:
- adding rules doesn't prevent traffic getting to you and thus costing you 
money or degrading link performance.
- it shouldn't stop anymore things that aren't already being stopped by your 
firewall.
- most of the issue can be dealt with by using ratelimiting options on 
iptables which is really what you want anyway.

MMC

On Mon, 16 Dec 2002, Matthew Western wrote:

> Hi All,
> I've got snort going nicely and seeing all kinds of bad stuff when i test
> it.  My question does anyone on this list have the snort server do anything
> proactive?  i'm sure it would be possible to add iptables rules and all
> kinds of other things, but i'm wondering what do others do?   seems logical
> to if a CodeRed was seen coming though to add an iptable rule and log that
> you've added a rule...  any other ideas?
> M
> 
> 
> 

-- 
Matthew
--
Matthew at Moyle-Croft.com    | mmc at mmc.com.au        |    mmc at 206gti.net
http://www.Moyle-Croft.com | http://www.mmc.com.au | http://206gti.net


-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.openprojects.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject



More information about the linuxsa mailing list