Snort mailing list archives
Re: Detecting Broadcast with Snort
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 22 Feb 2003 13:03:52 -0500
At 09:55 PM 2/21/2003 -0800, Gene Yoo wrote:
snort is not an intrusion prevention system. i also would like to know if someone had configured their snort to take corrective action, i mean i get my alerts and so forth...
Actually, there are several ways of reconfiguring snort for use as an Intrusion Prevention System, not merely an IDS. This is a VERY commonplace thing these days. Admittedly I'm not a big fan of such things, but Flexresp comes with the snort distribution, and there are also addons like SnortSam and Inline-Snort that use snort to dynamically reconfigure a firewall.
My general advice about such tools is they are fine, as long as you can be 100% sure that you've not just created a hole where someone can hack your snort box you forgot to properly secure and use that to open up your firewall. A snortsam or inline snort box should not be doing things like running a mailserver, nameserver and webserver which are externally accessible, and I'm willing to bet more than one sysadmin fails to see how foolish this is.
My question was really more of a "what possible corrective action could one take in response to excessive broadcast", even assuming you are a big fan of using snort as an IPS not an IDS.
There's not really anything that can be done by software to correct that problem, so no IPS, IDS, or other software tool can fix it.
<snip>excessive broadcast? i think you need to look into tools like netsaint or other network monitoring tool first.
Agreed, although theoreticaly snort could have a plugin to detect this stuff, it doesn't right now. Snort's more focused on IP layer issues than ethernet layer issues (although it does have the arpspoof preproc).
------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Broadcast with Snort Ramon Barquier (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 22)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 22)
- Re: Detecting Broadcast with Snort Frank Knobbe (Feb 22)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 24)
- <Possible follow-ups>
- Re: Detecting Broadcast with Snort james (Feb 24)