[Dshield] Firewall access

Johannes B. Ullrich jullrich at euclidian.com
Mon Oct 15 13:11:15 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> This is from my firewall logs showing denied connections, but how do I know
> if somebody got through my firewall due to an incorrect configuration or a
> security hole.

The firewall will not help you. What you need is an 'Intrusion Detection
System'. (IDS)

There are two different kind of IDS. Host based IDSs, which check if any
modifications have been made to particular files on a host, and network
based IDSs, which will listen to network traffic and see if any of the
traffic looks like an intrusion (most of them use libraries of known
patterns).

For a few examples:
- - Tripwire: Monitors files and checks if any of them changed (e.g.
/etc/passwd, ssh or other binaries).
- - AIDE: same as Tripwire, but simpler (=easier to configure)
- - Snort: Great network sniffer with excellent signature library.

...

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7yuB1VOIizK5pIDMRAhKWAKCF1figLIfUKMfsOFCcl9Ki6sf+WACgqqDD
NyKd845h/2Eg/OLfdH5nyQg=
=yGFR
-----END PGP SIGNATURE-----




More information about the list mailing list