Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort as Firewall (WinXP)

from [coder] Network Security [Permanent Link]
Subject: Re: Snort as Firewall (WinXP)
Date: Wed, 25 Jan 2006 21:32:21 -0000 
I should probably add that the only two ways I know of making snort into an
IPS;
is by either using snort-inline, which would require IPTables (and this is a
windows question) or
using "flex response" (not sure if this comes with the windows version of
snort), the downfall of flex response
is that is just sends an RST packet to break the connection (this however
does not stop the attacker from re-connecting)
also, you would have to write your own rules such as:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?";
nocase;resp:rst_snd;)

(you can see the rst_snd at the end)

but, as "shrek-m" and I (in my earlier email) said, snort cannot really be
used as a firewall.

Regards,

Davie

----- Original Message ----- 
From: <shrek-m@gmx.de>
To: <security-basics@securityfocus.com>
Sent: Tuesday, January 24, 2006 10:17 PM
Subject: Re: Snort as Firewall (WinXP)



Neil wrote:


From what I've read, a couple people have tried, but most people were of

the opinion to use Snort as an IDS, and have a separate firewall.




bingo.


If anyone has done it, do you recommend it? Why/why not?
For those who are against using it as a firewall, again, why?



"snort"  iirc is a ids/ips  and  no firewall
http://www.snort.org/

eg.  "iptables"  iirc is a firewall  and no ids/ips
http://iptables.org/

-- 
shrek-m

--------------------------------------------------------------------------

-

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity

Planning,

Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------------------

-







---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SSH server under attack..., Teemu A.
Next by Date:  Re: readnotify.com, Saqib Ali
Previous by Thread:  Re: Snort as Firewall (WinXP), shrek-m@gmx.de
Next by Thread:  Re: Snort as Firewall (WinXP), Neil
Indexes:  [Date] [Thread] [Top] [All Lists]