RE: snort-inline inbound ruleset?

It all depends on you though. IMHO, I would either choose Hogwash or SnortSam. I have tried both and had great results from them. You will just have to play with them and choose which one you think fits your setup better.

Take in mind, both of these use Snort as the 'detection' engine. But they are geared towards the 'prevention' of attacks. Though snort can be compiled with flexresp and have the ability to send rst, icmp_port_unreachable and others.

Hogwash does the dropping for you, while SnortSam can pass it off to firewalls(supports various). Snort-inline uses iptables.

I hope that helps in some faint way :-)

Cheers!

   Alberto Gonzalez

SnortSam - http://www.snortsam.net
Hogwash - http://hogwash.sourceforge.net

-----Original Message-----
From: John Flynn [mailto:johnflynn@fastmail.fm] Sent: Sunday, February 02, 2003 1:09 PM
To: focus-ids@securityfocus.com
Subject: snort-inline inbound ruleset?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hi all,

I'm fairly new to the IDS scene. I want to deploy some sort of open source IPS. I've read most of the stuff from the honeynet project and those guys are doing a great job with snort-inline. They have a great default ruleset to filter outgoing traffic. I was wondering if snort-inline is a recommended approach for an IPS at this point and if so, does someone have a good default blocking ruleset for incoming untrusted traffic they could point me to? I have been having a huge problem with false positive rates with snort on my network and i'm struggling to come up with an IPS solution that won't block legitimate traffic. Would people recommend I use hogwash or something else instead of snort-inline?
You folks are all doing a great thing here in this list... John Flynn Received on Wed Feb 5 16:35:30 2003