-
November 25th, 2003, 01:31 AM
#1
Senior Member
a snort question??
is snort able to block intrusions or is it just a logger??
-
November 25th, 2003, 01:40 AM
#2
I'm pretty sure that snort will just log all intrusions, and suspicious activity on the network. You just have right a rule, for what you want it to alert you to.
-
November 25th, 2003, 01:43 AM
#3
Senior Member
so i will just log and not stop an attack.
one more question, does snort log all the packets or just the suspicous ones.
-
November 25th, 2003, 01:45 AM
#4
Snort logs activity based on the defined rulesets....you can create custom rules if you wish...
everything you need to know is here: http://www.snort.org/docs/
-
November 25th, 2003, 01:45 AM
#5
It will only log what it considers an attack. I'm sure you can set it to log whatever you want. I think they have rules that are updated for download to define an attack. Basically it logs what you tell it to log.
-
November 25th, 2003, 01:45 AM
#6
It should just log suspicious packets and activity in general, although I am sure you could modify the source code quite easily so that it would log everything, or perhaps modify the rules of it.
I don't think you want it to log all packets, without atleast a log of just the suspicious ones. Reviewing it will be a pain.
-
November 25th, 2003, 01:47 AM
#7
Senior Member
i know i could creat rules, but will they stop the attacks or just detect them??
-
November 25th, 2003, 01:48 AM
#8
Just detect them. Basically you will just get an alert that you are being attacked. Then you have to figure out for yourself how to stop it. I recommend pulling your network cable, or the plug from the wall. Then that attack is logged:
1.11 Does Snort log the full packets that it generates alerts?
Yes, the packets should be in the directory that has the same IP address as the
source host of the packet which generated the alert. If you are using binary
logging, there will be a packet capture file (.pcap) in the logging directory
instead.
-
November 25th, 2003, 03:57 AM
#9
There are addons to make snort actively respond to alerts. I would be a bit leary of them though...
http://www.chaotic.org/guardian/
http://www.linuxsecurity.com/feature...e-printer.html
Seems to me that this system could be fooled by false positives, and essentially create a denial of service. I have not looked into it very closely though.
-
November 25th, 2003, 05:16 AM
#10
snort is an IDS (Intrusion Detection System) It detects intrusions. To stop them, you use a firewall, like ipchains or something along those lines.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|