RE: locking down snort
From: Andrew Shore (andrew.shore_at_holistecs.com)
Date: 06/28/04
- Previous message: Wolf, Yonah: "Patching IIS (was - RE: ASP security in HTML pages)"
- Maybe in reply to: Jose Guevarra: "locking down snort"
- Next in thread: Nelson Santos: "Re: locking down snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jun 2004 09:19:21 +0100 To: <jose@iquest.ucsb.edu>, <security-basics@securityfocus.com>
When setting up snort (or any other packet sniffer) the best method is
to use 2 nics. One nic has an IP address and is used for management only
the second is used to do the sniffing and has no address.
This way management traffic does not get monitored and no one can
connect to the sniffing port.
Also in larger networks the sniffer management port can sit on the
management/server vlan and the analysing port can sniff other vlans
(although be careful about crossing security domains ie short circuiting
firewalls etc)
Andrew Shore
Senior Security Specialist
DDI. 01302 308 165
andrew.shore@holistecs.com
Company Number 04943010
VAT Number 828 8635 82
Holistic Technologies Ltd
Unit 7 Shaw Wood Business Park
Shaw Wood Way
Doncaster
South Yorkshire
DN2 5TB
T. 0870 240 1442
F. 0870 240 1443
www.holistecs.com
-----Original Message-----
From: Jose Guevarra [mailto:jose@iquest.ucsb.edu]
Sent: 24 June 2004 18:29
To: security-basics@securityfocus.com
Subject: locking down snort
Hi,
I have some machines running snort. I'd like to restrict ssh/http and
other access to them. However, I'm not sure if in doing so, would snort
not
'grab' and analyze traffic hitting those ports. I guess I'm asking
- if I blocked those ports from the outside world would I still detect
say a
port scan on those ports?
- Who captures the packets first: Firewall(IPTABLES) or SNORT?
Thanks,
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Wolf, Yonah: "Patching IIS (was - RE: ASP security in HTML pages)"
- Maybe in reply to: Jose Guevarra: "locking down snort"
- Next in thread: Nelson Santos: "Re: locking down snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
