[ previous ] [ next ] [ threads ]
 
 From:  "Robert Staph" <rstaph at digitalimpreza dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] snort or IDS
 Date:  Mon, 25 Oct 2004 09:21:06 -0400
> I personally wouldn't mind having my firewall running Snort, or an IDS as 
> it saves me all that work. Also it would facilitate automatic blocking of 
> IP addresses on the m0n0wall, which you couldn't really have without it 
> built-in.
>
> To have an IDS is to get alerts, so if you don't like getting alerts, 
> don't run an IDS.

You can do automatic stuff on the m0n0wall, see the messages about backing 
up the config via CURL or wget.  You can use the same method to add a rule 
to your firewall.  Although I wouldn't trust any automatic blocking method 
without some serious testing behind it (wouldn't want to block a potential 
paying customer by accident).

I don't like getting alerts and I do run an IDS (I would love it if the 
internet were nice/safe enough to never get another alert).  I also run it 
inside the firewall, who cares about the traffic that doesn't get through, 
the firewall is doing its job.  I only really care about instances when the 
firewall doesn't do its job.

Don't forget that just because you have an IDS and firewall, it is a free 
ticket to slacking off on updates..

-Rob