Menu
▾
▴
snort-inline-users
|
From: Pawel C. <pc...@ui...> - 2004-10-29 00:27:53
|
Hey all, I am trying to decide which version of snort_inline to use on a = Honeywall. I need something that will work with Open Wall Linux and that = has all major bugs fixed (needs to be very secure). It also should have = mysql support. The Honeywall will act as a bridge. Which version would = be recommended? Also, which pre-processors should be enabled for use on = an actual Honeywall (At this point none of our members know anything = about the pre-processors and little about rules)? If someone can point = me to good online articles about these I'd appreciate it. Finally, = should I install the same version of snort that snort_inline will be, or = are there any advantages of using different versions for each one. = Thanks Pawel Czarnota ACM Honeynet Project Leader http://cs.uic.edu/~pczarno1 University of Illinois at Chicago |
|
From: Will M. <wil...@gm...> - 2004-10-29 03:19:13
|
Pawel, Off the top of my head I would say go with snort_inline-2.2.0 and snort-2.2.0, we actually added mysql support into 2.1.3 but added proper state tracking via stream4 and iptables marks in 2.2.0(see doc/README.INLINE). As far as the preprocs go look at the default snort_inline.conf it should give you a good base config to start off with. Don't really know any great articles on the subject of preprocs and rule language, but I would suggest that you take a look at the snort users manual http://www.snort.org/docs/snort_manual/ or pick up a copy of the syngress book SNORT 2.1 Intrusion Detection. Hope this helps..... Completely off topic, would anybody like to see an ssl-decryption preproc? Obviously you would only be able to decrypt traffic bound to servers for which you possess the private keys, in addition we would need figure out some way to securely store these key's in escrow. Just a thought Victor Julien and I have been kicking around. Regards, Will Regards, Will On Thu, 28 Oct 2004 19:27:33 -0500, Pawel Czarnota <pc...@ui...> wrote: > > Hey all, > I am trying to decide which version of snort_inline to use on a Honeywall. I > need something that will work with Open Wall Linux and that has all major > bugs fixed (needs to be very secure). It also should have mysql support. The > Honeywall will act as a bridge. Which version would be recommended? Also, > which pre-processors should be enabled for use on an actual Honeywall (At > this point none of our members know anything about the pre-processors and > little about rules)? If someone can point me to good online articles about > these I'd appreciate it. Finally, should I install the same version of snort > that snort_inline will be, or are there any advantages of using different > versions for each one. Thanks > > Pawel Czarnota > ACM Honeynet Project Leader > http://cs.uic.edu/~pczarno1 > University of Illinois at Chicago > |
|
From: Jason <sec...@br...> - 2004-10-29 04:17:18
|
Will Metcalf wrote: > > Completely off topic, would anybody like to see an ssl-decryption > preproc? Obviously you would only be able to decrypt traffic bound to > servers for which you possess the private keys, in addition we would > need figure out some way to securely store these key's in escrow. Just > a thought Victor Julien and I have been kicking around. > If support is added I would love to see it tied into an SSL accelerator card. Using the accelerator could also provide the key escrow capabilities in hardware. I used to be under the impression that you could not properly do SSL decryption however as intruvert unfortunately proved to me that is only the case with certain ciphers and anonymous SSL. |
|
From: Tony C. <tc...@en...> - 2004-10-29 21:02:00
|
On Thursday 28 October 2004 23:18, Will Metcalf wrote: > Pawel, > > Off the top of my head I would say go with snort_inline-2.2.0 and > snort-2.2.0, we actually added mysql support into 2.1.3 but added > proper state tracking via stream4 and iptables marks in 2.2.0(see > doc/README.INLINE). As far as the preprocs go look at the default > snort_inline.conf it should give you a good base config to start off > with. Don't really know any great articles on the subject of preprocs > and rule language, but I would suggest that you take a look at the > snort users manual http://www.snort.org/docs/snort_manual/ or pick up > a copy of the syngress book SNORT 2.1 Intrusion Detection. Hope this > helps..... > > Completely off topic, would anybody like to see an ssl-decryption > preproc? Obviously you would only be able to decrypt traffic bound to > servers for which you possess the private keys, in addition we would > need figure out some way to securely store these key's in escrow. Just > a thought Victor Julien and I have been kicking around. > > Regards, > > Will > > Regards, > > Will > > On Thu, 28 Oct 2004 19:27:33 -0500, Pawel Czarnota <pc...@ui...> wrote: > > Hey all, > > I am trying to decide which version of snort_inline to use on a > > Honeywall. I need something that will work with Open Wall Linux and that > > has all major bugs fixed (needs to be very secure). It also should have > > mysql support. The Honeywall will act as a bridge. Which version would be > > recommended? Also, which pre-processors should be enabled for use on an > > actual Honeywall (At this point none of our members know anything about > > the pre-processors and little about rules)? If someone can point me to > > good online articles about these I'd appreciate it. Finally, should I > > install the same version of snort that snort_inline will be, or are there > > any advantages of using different versions for each one. Thanks > > > > Pawel Czarnota > > ACM Honeynet Project Leader > > http://cs.uic.edu/~pczarno1 > > University of Illinois at Chicago > > ------------------------------------------------------- > This Newsletter Sponsored by: Macrovision > For reliable Linux application installations, use the industry's leading > setup authoring tool, InstallShield X. Learn more and evaluate > today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users Hey, count me in on this. I started on the SSL decryption a while ago but did not have the time to finish. -Tony |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X