Hosting Provided By

Re: [Security Basics] Portsentry and Snort

From: Dan DeVoe <ddevoe(at)zeus.netset.com>
Date: Fri May 09 2003 - 12:39:42 EDT

Snort and PortSentry serve two entirely different functions. The former is a Network Intrusion Detection System, the latter is a port scan detector/responder.

Snort, in my opinion, is primarily useful for sticking on a bridge in front of the machines you're protecting. Custom patterns combined with acidlab really does let one sleep better at night. The reason that I prefer to use snort in a standalone configuration is mainly the curve between CPU usage and network traffic. YMMV. Snort, though, is definitely a useful tool.

PortSentry, in addition to apparently not being a supported, developed product anymore, is of questionable value anyway. A decently strict, logging iptables setup plus fwlogwatch[0] provides more functionality (user-configurable response rather than simply throwing up a drop rule). In addition, fwlogwatch can send out nightly (or another interval) summary e-mails of logged packets, and generate HTML formatted pages of the same data.

Should you decide to go with a logging firewall and fwlogwatch, I suggest you look into ulogd[1] so that you don't clutter your /var/log/messages.

[0]: http://cert.uni-stuttgart.de/projects/fwlogwatch/ [1]: http://gnumonks.org/projects/ulogd

-- 
 Dan DeVoe, System Administrator        | 
http://www.netset.com
 Ohio NetSet Enterprises, Inc.          | (614) 527-9111
****************************************************************
 -* Opinions herein are the author's and are not necessarily *-
 -* shared by his employer, though they certainly should be. *-
****************************************************************

On Thu, 8 May 2003, sjm wrote:

> Date: Thu, 08 May 2003 10:57:32 -0400




---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto 
http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------

Received on Fri May 9 15:12:53 2003

This message: [ Message body ]
Next message: JohnNicholson(at)aol.com: "Re: Non Disclosure Agreements"
Previous message: Nicolas Sigal: "Re: analyzing packets"
In reply to sjm: "[Security Basics] Portsentry and Snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:04:18 EDT