Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort as Firewall (WinXP)

from [Neil] Network Security [Permanent Link]
Subject: Re: Snort as Firewall (WinXP)
Date: Sun, 29 Jan 2006 16:45:02 +0530 
Yeah, well, in all my readings and largely from the mail on this list,
I've come to the conclusion that Snort definitly won't give me
iptable-functionality on a windows box.

My solution is one I should've done a while ago: start using linux.  Of
course, thats much harder than it sounds, but we'll see how it turns out.

Thanks to the list for all the help.

Cheers,
Neil

On 1/26/2006 3:02 AM, coder wrote:

I should probably add that the only two ways I know of making snort into an
IPS;
is by either using snort-inline, which would require IPTables (and this is a
windows question) or
using "flex response" (not sure if this comes with the windows version of
snort), the downfall of flex response
is that is just sends an RST packet to break the connection (this however
does not stop the attacker from re-connecting)
also, you would have to write your own rules such as:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?";
nocase;resp:rst_snd;)

(you can see the rst_snd at the end)

but, as "shrek-m" and I (in my earlier email) said, snort cannot really be
used as a firewall.

Regards,

Davie

----- Original Message ----- 
From: <shrek-m@gmx.de>
To: <security-basics@securityfocus.com>
Sent: Tuesday, January 24, 2006 10:17 PM
Subject: Re: Snort as Firewall (WinXP)



Neil wrote:


From what I've read, a couple people have tried, but most people were of

the opinion to use Snort as an IDS, and have a separate firewall.



bingo.


If anyone has done it, do you recommend it? Why/why not?
For those who are against using it as a firewall, again, why?


"snort"  iirc is a ids/ips  and  no firewall
http://www.snort.org/

eg.  "iptables"  iirc is a firewall  and no ids/ips
http://iptables.org/

-- 
shrek-m


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: University Degree or CISSP, FocusHacks
Next by Date:  Re: System Monitor, FocusHacks
Previous by Thread:  Re: Snort as Firewall (WinXP), coder
Next by Thread:  Re: Snort as Firewall (WinXP), Tony Barry
Indexes:  [Date] [Thread] [Top] [All Lists]