RE: Snort or Ethereal for a relative newbie?

From: Leon Ward (leon.ward@added-dimension.co.uk)
Date: 05/29/02 

From: Leon Ward <leon.ward@added-dimension.co.uk>
To: 'Thomas Madhavan' <tmadhavan@ntlworld.com>, security-basics@security-focus.com
Date: Wed, 29 May 2002 12:28:28 +0100

It seams that you are thinking on slightly along the wrong lines here,
Snort and Ethereal capture packets and do not do not block anything.
Snort has the capability to inspect packets against a set of rules and
report accordingly (alert on suspicious traffic).
Ethereal captures packets for the purpose of allowing a user to inspect what
is going on the "wire".

As far as the snort compiling problems go, check that the directory that
libpcap installed its libraries into is listed in your /etc/ld.so.conf file.

Try installing both libpcap and snort from source, you will get more
installation options.

Nard

-----Original Message-----
From: Thomas Madhavan [mailto:tmadhavan@ntlworld.com]
Sent: 25 May 2002 15:29
To: security-basics@security-focus.com
Subject: Snort or Ethereal for a relative newbie?

Hi all. Responses have been good before so I thought I'd try again.

I've recently set up a Mandrake 8.2 workstation. I've used firestarter to
build a firewall, and I want to use a packet sniffer.

After installing Snort, it didn't work due to a data type 113 error. I
uninstalled it, then reinstalled from an RPM, but apparently I don't have
libpcap installed (which I do).

So, I tried Ethereal and it works fine. However, can rulesets be applied to
Ethereal as they can with Snort? I want a little extra security, not just
logs of packets.

If Ethereal *can* be used to block packets, is it a good substitute for
snort? Or would I benefit from using Snort instead? There also seem to be a
lot of snort reporting tools - are there any for Ethereal?

Thanks a lot,

Thomas Madhavan

This E-mail and its attachments have been scanned for viruses before
delivery. For more information contact postmaster@added-dimension.co.uk.

This E-mail and its attachments have been scanned for viruses before delivery.
We recommend that all attachments are also checked by recipients before being viewed.
For more information contact postmaster@added-dimension.co.uk.

Relevant Pages

  • Re: unidentified DOS "bad traffic"
    ... I'd do some closer looking at the source machine. ... Do you have an idea of the volume of packets that were coming from this ... A particular host has been completely flooding the network with ... My Snort output on ...
    (Incidents)
  • Re: unidentified DOS bad traffic
    ... large and/or small packets, and sometimes fragmented. ... flooding most gateways, and connects to an IRC channel as you describe. ... A particular host has been completely flooding the network ... My Snort output on this trace was filled with nothing but ...
    (Incidents)
  • RE: Snort or Ethereal for a relative newbie?
    ... >thought Snort was capable of dropping packets based on the snort ... Snort captures packets using libpcap and runs them through a ruleset to ... will not have problems installing snort. ...
    (Security-Basics)
  • RE: Which intrusion detection to use?
    ... > deny access to all unused ports to the world there will be no ... Snort does not care ... while I would get ipfw dropping packets in my logs, ... If you want a good book I'd recommend "Building Internet Firewalls" by ...
    (FreeBSD-Security)
  • RE: Which intrusion detection to use?
    ... >>> I don't know how tight your particular setup is, but if you deny ... Snort does not care about ... >> and while I would get ipfw dropping packets in my logs, ... > From my experience snort will not catch much in this setup. ...
    (FreeBSD-Security)