[Dshield] Firewall access
Johannes B. Ullrich
jullrich at euclidian.com
Mon Oct 15 13:11:15 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> This is from my firewall logs showing denied connections, but how do I know
> if somebody got through my firewall due to an incorrect configuration or a
> security hole.
The firewall will not help you. What you need is an 'Intrusion Detection
There are two different kind of IDS. Host based IDSs, which check if any
modifications have been made to particular files on a host, and network
based IDSs, which will listen to network traffic and see if any of the
traffic looks like an intrusion (most of them use libraries of known
For a few examples:
- - Tripwire: Monitors files and checks if any of them changed (e.g.
/etc/passwd, ssh or other binaries).
- - AIDE: same as Tripwire, but simpler (=easier to configure)
- - Snort: Great network sniffer with excellent signature library.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list