1 |
On Friday 07 May 2004 14:27, Phil Cryer wrote: |
2 |
> I'm curious about this, I don't have any IDS on my home server, and want |
3 |
> to start running Snort, but the time to learn the rule creation is what |
4 |
> has kept me away. |
5 |
|
6 |
You do not need to create rules (unless you are testing for something that the |
7 |
rules don't cover i.e. a special kind of traffic). Rules are distributed and |
8 |
the rules contain signatures of malicious traffic. To get the latest |
9 |
signatures, you need to update |
10 |
|
11 |
> Is this all I need to do for "basic" functionality? I want to get into it |
12 |
> more, but will need to allow for Web/Jabber/IMAP-ssl traffic on my |
13 |
> homeserver, would I use Oinkmaster to tell Snort to allow those or ? If |
14 |
> it's not much harder than that to get started, I should set this up |
15 |
> tomorrow. Any input would be appreciated. |
16 |
|
17 |
I think you have the wrong idea about snort. Snort is a Intrusion Detection |
18 |
System which means that it detects. It's a passive application (although some |
19 |
have rigged it to dynamically firewall the origin of malicious traffic, but |
20 |
thats another story.) and does no access control at all. |
21 |
|
22 |
Snort will log everything that is going on. This is so you have the element of |
23 |
surprise on your attacker, as he probably doesn't know he's being watched. |
24 |
|
25 |
Hope that helps, |
26 |
Cheers, |
27 |
Chris. |
28 |
|
29 |
-- |
30 |
gentoo-security@g.o mailing list |