[ previous ] [ next ] [ threads ]
 
 From:  "Dirk Hombrecher" <dhombrecher at ifrance dot com>
 To:  "Chad R. Larson" <clarson at eldocomp dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] snort
 Date:  Wed, 26 Nov 2003 20:35:06 +0100
The charge of snort in freebsd is very low, except when attack occurs.
There is also Guardian which can add rules to block the recognized attacker.

I don't think of another box, keep it close to the network for quick
analysis.

----- Original Message -----
From: "Chad R. Larson" <clarson at eldocomp dot com>
To: "Dirk Hombrecher" <dhombrecher at ifrance dot com>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, November 26, 2003 6:45 PM
Subject: Re: [m0n0wall] snort


At 04:43 PM 11/25/2003, Dirk Hombrecher wrote:
>is it possible to add into m0n0wall an IDS like SNORT?

You might be able to get close by enabling the remote syslog feature and
then running some of the log monitoring/analyzing tools on a different
machine.  SNORT can take a pretty good bite out of your available CPU,
which would be an issue on embedded systems like the Soekris boxes.

Or else, bridge a third interface to the WAN side and then use an external
box to SNORT that.


-- CONFIDENTIALITY NOTICE --

This message is intended for the sole use of the individual and entity to
whom it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you are not
the intended addressee, nor authorized to receive for the intended
addressee, you are hereby notified that you may not use, copy, disclose or
distribute to anyone the message or any information contained in the
message. If you have received this message in error, please immediately
advise the sender by reply email, and delete the message. Thank you.
_____________________________________________________________________