AW: [Dshield] Firewall access
g.dodd at falk-ross.de
Tue Oct 16 08:33:57 GMT 2001
I run Tripwire, but it only catches changes to files on the firewall, I'm
more interested in access to systems behind the firewall - I will check out
AIDE because Tripwire is hard to configure.
I'll also look into Snort, as long as it will run on a Linux box.
> This is from my firewall logs showing denied connections, but how do I
> if somebody got through my firewall due to an incorrect configuration or a
> security hole.
The firewall will not help you. What you need is an 'Intrusion Detection
There are two different kind of IDS. Host based IDSs, which check if any
modifications have been made to particular files on a host, and network
based IDSs, which will listen to network traffic and see if any of the
traffic looks like an intrusion (most of them use libraries of known
For a few examples:
- - Tripwire: Monitors files and checks if any of them changed (e.g.
/etc/passwd, ssh or other binaries).
- - AIDE: same as Tripwire, but simpler (=easier to configure)
- - Snort: Great network sniffer with excellent signature library.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list