[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] IDS and established TCP/UDP sessions

Subject: RE: [cobalt-security] IDS and established TCP/UDP sessions
From: "Peter Baldwin" <peterj@xxxxxxxxxxxxxx>
Date: Sat, 1 Dec 2001 11:01:51 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Although I haven't installed it yet, Snort is where I'm most likely
> headed, but want to hear from you guys.

I haven't checked the RPMS on the snort site (they are a new addition).  We
built Snort RPMS for RaQs about 6 weeks ago ... not hard, but there are a
couple of gotchas.  http://vito.pointclark.net/cobalt/snort.html.

Just my $0.02 (since you asked for it!)  Snort, PortSentry, et al prevent
break-ins because they can help an administrator become more aware of what's
going on.  In other words, installing snort and just letting it run
unattended won't really help much.

SnortSnarf is handy
http://www.silicondefense.com/software/snortsnarf/index.htm

> If you don't know the PID, how do you kill an established TCP/UDP session
> w/o rebooting the box? All netstat does is show you the current activity.

The "-p" flag on netstat shows the process/PID (you must be root).

Cheers!
Pete

--------------------------
http://vito.pointclark.net
Vito - A Cobalt RaQ System Monitor

References:
- [cobalt-security] IDS and established TCP/UDP sessions
  - From: Mike Jeffers

Prev by Date: [cobalt-security] who should own the /home/sites/home/users and /home/sites/home/web ?
Next by Date: Re: [cobalt-security] IDS and established TCP/UDP sessions
Previous by thread: [cobalt-security] IDS and established TCP/UDP sessions
Next by thread: Re: [cobalt-security] IDS and established TCP/UDP sessions

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index