IDS mailing list archives
RE: Snort-Inline and worm containment
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 30 Jan 2003 12:13:04 -0500
The Honeynet Project uses a variant of Snort-Inline for an almost identical purpose in their 2nd Generation Honeynets. Their goal is to prevent the compromise of other networks or hosts due to attacks originating from the Honeynet. The difference is that while they only prevent outbound traffic from having an impact, I imagine you're considering the opposite. Their implementation also allows the traffic out, but munges parts of it to render it ineffective against the outside target. On the downside, however, they have little to worry about in the way of false positives; it's a honeynet, so any traffic in or outbound from it is almost certain to be hostile, and is definitely not of any production value (as we normally consider the term).
-----Original Message----- From: Tom McLaughlin [mailto:tmclaugh () sdf lonestar org] Sent: Tuesday, January 28, 2003 9:19 PM To: focus-ids () securityfocus com Subject: Snort-Inline and worm containment Hi everyone, The recent Slammer worm made me think a little about using Snort-Inline for some form of network worm containment purposes. I did a quick Google search and found little on the idea. Has anyone found or written anything on using Snort-Inline to prevent the spread of viruses across a network? Think about the benefits to an organization of being able to confine virus outbreaks to particular segments of a network and not having problems effect the stability of the remaining users, or more importantly, spreading across a network to the point of overwhelming available resources. Thanks, Tom -- Mandrake Cooker + Honeypot = http://cookerpot.linsec.ca
Current thread:
- RE: Snort-Inline and worm containment Rob Shein (Jan 31)