From owner-freebsd-questions  Wed Jan 10  9: 7:52 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from rush.telenordia.se (mail.telenordia.se [194.213.64.42])
	by hub.freebsd.org (Postfix) with SMTP id B6CBB37B401
	for <freebsd-questions@FreeBSD.ORG>; Wed, 10 Jan 2001 09:07:33 -0800 (PST)
Received: (qmail 15342 invoked from network); 10 Jan 2001 18:07:31 +0100
Received: from bb-62-5-7-17.bb.tninet.se (HELO web1.tninet.se) (62.5.7.17)
  by mail.telenordia.se with SMTP; 10 Jan 2001 18:07:31 +0100
From: Mark Rowlands <mark.rowlands@minmail.net>
Reply-To: mark.rowlands@minmail.net
To: Per Tore Larsen <per.tore.larsen@fernonorden.com>,
	"'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>
Subject: Re: Snort or Portsentry?
Date: Wed, 10 Jan 2001 18:00:01 +0100
X-Mailer: KMail [version 1.1.99]
Content-Type: text/plain;
  charset="iso-8859-1"
References: <25879E6A7E74D411B9370050043B7F3E09F83B@fernonorden.com>
In-Reply-To: <25879E6A7E74D411B9370050043B7F3E09F83B@fernonorden.com>
MIME-Version: 1.0
Message-Id: <01011018000102.01787@web1.tninet.se>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tuesday 09 January 2001 20:20, Per Tore Larsen wrote:
> Hi.
>
> I need a port that will monitor my firewall for possible
> backdoor/breakins/etc and
> found out that snort or protsentry would make this possible.
>
> Here's my question:
> Will both be able so send mail when on of the rules is activated or a
> message
> to a windows machine that the port has detected a possible security
> problem? Which would be the best to use?
>
> I'm using ipf and ipnat on FreeBSD 4.2.
>


snort can send smb messages and as with most unix like utilities, scripting 
can perform most miracles that have been omitted by the developers. 

Portsentry with logsentry (afaik) will send email alerts. as for smb see 
scritping.

Me. I like snort, very flexible, some cool utilities around it (snortsnarf.pl 
dumps the output to a webserver for point and clicky type stuff) It has 
support for various databases, and more features are being added all the time 
and because (whisper it quietly) it has a win32 port as well. 

It does have a response type plugin, but I am generally a bit wary of these 
due to the possibility of a savvy miscreant exploiting it against me or 
others.

as ever ymmv


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message