Re: Newbie IDS questionsFrom: email@example.com
- Previous message: Drew: "Re: Newbie IDS questions"
- Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
- Next in thread: Frank Knobbe: "RE: Newbie IDS questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Mike Hrubes" <MHrubes@wizmo.com> From: firstname.lastname@example.org Date: Thu, 10 Jan 2002 10:41:27 -0600
Hi Mike, it sure is possible, but I would suggest using iptables on your
to block portscans and filter traffic. Attached is a copy of a generic
to help you out. Remember that a firewall is only as good as the
you run it on, so, if you use linux, make sure it's patched and running
the latest kernel
(which can be found at www.kernel.org), also turn off all the unwanted
services such as rsh,
rexec, lockd, portmap, telnet, identd, inetd, lpd, etc. by running
Actualy, for an operating system / firewall / IDS, I would use FreeBSD
with ipfw and snort. With
a previous company all my linux servers on our DMZ where hacked, but none
of the FreeBSD systems
where touched. Just a thought.
"Mike Hrubes" <MHrubes@wizmo.com>
01/09/2002 10:29 AM
Subject: Newbie IDS questions
I'm new to the IDS world. I understand what an IDS does, and why you
need it, but I have some questions on the technical aspect of IDS. We
are planning on implementing an IDS in the near future. The idea that
has been proposed is to put the IDS in the path between connections,
rather than connected in promiscuous mode. The reason they want to do
this is so they can also run a blocking software, like portsentry, to
block unwanted scans, etc.
Is this even possible to do? The idea is to use a linux server running
snort. This box would have two interfaces to route the traffic through
it, scanning the signatures at the same time.
Possible/not possible? If possible, good idea/bad idea? Opinions in
Thanks in advance,
- text/plain attachment: iptables.txt