| 1 |
On Friday 07 May 2004 14:27, Phil Cryer wrote: |
| 2 |
> I'm curious about this, I don't have any IDS on my home server, and want |
| 3 |
> to start running Snort, but the time to learn the rule creation is what |
| 4 |
> has kept me away. |
| 5 |
|
| 6 |
You do not need to create rules (unless you are testing for something that the |
| 7 |
rules don't cover i.e. a special kind of traffic). Rules are distributed and |
| 8 |
the rules contain signatures of malicious traffic. To get the latest |
| 9 |
signatures, you need to update |
| 10 |
|
| 11 |
> Is this all I need to do for "basic" functionality? I want to get into it |
| 12 |
> more, but will need to allow for Web/Jabber/IMAP-ssl traffic on my |
| 13 |
> homeserver, would I use Oinkmaster to tell Snort to allow those or ? If |
| 14 |
> it's not much harder than that to get started, I should set this up |
| 15 |
> tomorrow. Any input would be appreciated. |
| 16 |
|
| 17 |
I think you have the wrong idea about snort. Snort is a Intrusion Detection |
| 18 |
System which means that it detects. It's a passive application (although some |
| 19 |
have rigged it to dynamically firewall the origin of malicious traffic, but |
| 20 |
thats another story.) and does no access control at all. |
| 21 |
|
| 22 |
Snort will log everything that is going on. This is so you have the element of |
| 23 |
surprise on your attacker, as he probably doesn't know he's being watched. |
| 24 |
|
| 25 |
Hope that helps, |
| 26 |
Cheers, |
| 27 |
Chris. |
| 28 |
|
| 29 |
-- |
| 30 |
gentoo-security@g.o mailing list |
Archives