AW: [Dshield] Firewall access

Graham Dodd g.dodd at
Tue Oct 16 08:33:57 GMT 2001

		I run Tripwire, but it only catches changes to files on the firewall, I'm
more interested in access to systems behind the firewall - I will check out
AIDE because Tripwire is hard to configure.
I'll also look into Snort, as long as it will run on a Linux box.



> This is from my firewall logs showing denied connections, but how do I
> if somebody got through my firewall due to an incorrect configuration or a
> security hole.

The firewall will not help you. What you need is an 'Intrusion Detection
System'. (IDS)

There are two different kind of IDS. Host based IDSs, which check if any
modifications have been made to particular files on a host, and network
based IDSs, which will listen to network traffic and see if any of the
traffic looks like an intrusion (most of them use libraries of known

For a few examples:
- - Tripwire: Monitors files and checks if any of them changed (e.g.
/etc/passwd, ssh or other binaries).
- - AIDE: same as Tripwire, but simpler (=easier to configure)
- - Snort: Great network sniffer with excellent signature library.


- --
- -------
jullrich at                    Join
                                     Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Dshield mailing list
Dshield at
To change your subscription options (or unsubscribe), see:

More information about the list mailing list