Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Snort as IDS on Firewall

To: "'dsullinger'" <[email protected]>, Checkpoint Fw-1 Mailing List <[email protected]>
Subject: RE: [FW1] Snort as IDS on Firewall
From: Frank Knobbe <[email protected]>
Date: Thu, 19 Oct 2000 17:55:24 -0500
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm running snort on a couple boxes, including the firewall. I
created a few batch files that will capture alerts from the alert.ids
file, transmit them encrypted (using cryptcat) to the management
station, and there automatically block the offending IP addresses by
adding them to the SAM (for a certain amount of time, configurable in
the snort rules). This seems to work well (I'm still working to
stream line the batch files, though. I just hacked them together a
few days ago). I don't see much of a performance degradation yet.

Although snort, just like any other IDS, puts some overhead on the
processor. If your firewall can't spare some CPU cycles (i.e. too
many connections to service), then put snort on a separate machine.
If you have a beefy firewall, and enough processing power, snort
should run great.

Regards,
Frank

> -----Original Message-----
> From: dsullinger [mailto:[email protected]]
> Sent: Wednesday, October 18, 2000 11:37 AM
> 
> Is anyone using Snort as a intrusion detection system
> with Firewall-1 on Solaris?
> 
> What is your opinion?
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOe973ERKym0LjhFcEQJFugCeI57yi9uAkeg07JVaM8HNtInCtPsAn3aR
tSlFchYiXYHS9S+AqjP7yCRh
=k/gP
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] stopping AOL instant messenger
Next by Date: RE: [FW1] Snort as IDS on Firewall
Previous by thread: Re: [FW1] Snort as IDS on Firewall
Next by thread: RE: [FW1] Snort as IDS on Firewall
Index(es):
- Date
- Thread