On Jun 10, 2004, at 8:27 AM, Rodolfo J. Paiz wrote:
However, if in general you want security tools to detect malicious activity, then I suggest using Shorewall [1] as your firewall package on the Linux box, and Snort [2] for an intrusion detection system (IDS). Both tools are top-of-the-line and will likely do a huge percentage of what you want.
Snort with flexresp will do much of what the user is looking for.
The flexresp code that's part of the snort rpms from dag's site have flexresp compiled in by default.
That being said, any time you use an IDS with response code, you take the chance of DoSing yourself by accident. Be extremely careful with how you configure flexresp.
Those rpms use flexresp2, the new version, which is supposed to be much improved. Here's the info:
http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/
Of course, he'll have to do the usual span port stuff on his switches, or run snort_inline instead, which is really an IPS.
--j