AW: [Dshield] Firewall access

Graham Dodd g.dodd at falk-ross.de
Tue Oct 16 08:33:57 GMT 2001


Johannes,
		I run Tripwire, but it only catches changes to files on the firewall, I'm
more interested in access to systems behind the firewall - I will check out
AIDE because Tripwire is hard to configure.
I'll also look into Snort, as long as it will run on a Linux box.

thanks,

Graham


> This is from my firewall logs showing denied connections, but how do I
know
> if somebody got through my firewall due to an incorrect configuration or a
> security hole.

The firewall will not help you. What you need is an 'Intrusion Detection
System'. (IDS)

There are two different kind of IDS. Host based IDSs, which check if any
modifications have been made to particular files on a host, and network
based IDSs, which will listen to network traffic and see if any of the
traffic looks like an intrusion (most of them use libraries of known
patterns).

For a few examples:
- - Tripwire: Monitors files and checks if any of them changed (e.g.
/etc/passwd, ssh or other binaries).
- - AIDE: same as Tripwire, but simpler (=easier to configure)
- - Snort: Great network sniffer with excellent signature library.

...

- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7yuB1VOIizK5pIDMRAhKWAKCF1figLIfUKMfsOFCcl9Ki6sf+WACgqqDD
NyKd845h/2Eg/OLfdH5nyQg=
=yGFR
-----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list