On Thu, 3 Feb 2005 seberino@xxxxxxxxxxxxxxx wrote:
> Many people on this list including Jason O. are masters
> at creating very detailed careful iptables rules that
> DROP packets that have anything peculiar about them.
>
> (e.g. FIN without ACK, etc.)
>
> My iptables script just filters based on port
> number and protocol. I was wondering if instead
> of diving into TCP education to duplicate the
> fine work Jason and others have done,
> if an IDS (Intrusion Detection System)
> like Snort would serve the same purpose???
>
> I assume Snort **ALSO** knows what TCP flag combos
> typically signify a port scan and other nasties?
>
And there are many that have delved into combining the two applications to
work together, but, IDS is a beat unto itself, takes perhaps a bit more
thought and work just to tune the IDS *behind* the firewall to get the
proper set of true alarms working such that it's not just another whining
app that gets ignored pretty much as much as most system logs tend to be.
And TCP education is require as much for IDS setup and design as proper
firewalling. There are no shortcuts, one needs to gain the basic
knowledge levels to tackle more then the basics of network design as in
any other venture one wishes to put their efforts into. Afterall, there
were no real cheap shortcuts to your phd, correct?
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
...Love is the ultimate outlaw. It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice. Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question. The words
"make" and "stay" become inappropriate. My love for you has no
strings attached. I love you for free...
-Tom Robins <Still Life With Woodpecker>
