Snort mailing list archives
RE: fbidsmate and watchguard firebox
From: "Hamilton, Robert" <rhamilton () anteon com>
Date: Fri, 5 Sep 2003 09:54:15 -0400
Very insightful discourse guys .... Thanks! -Rob -----Original Message----- From: Jeff Nathan [mailto:jeff () snort org] Sent: Thursday, September 04, 2003 7:02 PM To: Matt Kettler Cc: Hamilton, Robert; snort-users () lists sourceforge net Subject: Re: [Snort-users] fbidsmate and watchguard firebox -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I forgot to add that SnortSam *ALSO* adds the functionality in question! - -Jeff On Thursday, September 4, 2003, at 03:41 PM, Jeff Nathan wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt, well stated. I just wanted to clarify. On Thursday, September 4, 2003, at 02:24 PM, Matt Kettler wrote:At 04:08 PM 9/4/2003 -0400, Hamilton, Robert wrote:Any way to directly call fbidsmate from snort alert rules?Directly from snort there is no way to call *any* firewall tool. Fundamentally out of the box snort is an IDS and only an IDS. It has no support for reconfiguring any firewalls of any sort. No support for IpTables, IPF, cisco, watchguard, or any other kind of firewall is present. It does have a *very* limited ability to attempt to kill offensive connections using flexresp, but this doesn't reconfigure a firewall..
"react:block" just causes flexresp to generate some tcp reset packets
or icmp unreachable messages. It is however not reliable when racing against an educated attacker (If the attacker knows flexresp is going
to issue a reset in response to an attack, they can attempt to advance the sequence number before flexresp can respond. Flexresp is being improved to help avoid this, but it still fundamentally boils down to a race where flexresp has the speed advantage, but the attacker has the advantage of knowing when the race will start and can be prepared in advance. .)The react keyword implements HTTP (application layer) blocking by returning HTTP data to the client browser. The resp keyword performs the active response that you're describing above. Flexresp2, released yesterday, uses a brute force approach for desynchronizing TCP connections. The biggest hinderance in this race is TCP stream reassembly. Essentially, TCP segments are coalesced before the detection plugins even get them, making active response really tough. While an attacker can try to advance their sequence numbers outside the range used by flexresp2, they can't do this easily. This sort of attack would require some sort of event-based logic to track the state
of the connection used for the attack and would have to "cook" ethernet frames and avoid the actual TCP/IP stack. Flexresp2 already does this :) It makes a few assumptions on the rate
of ACK number consumption and attempts to send a TCP reset packet with
an ACK number that lands within the acceptable range of sequence numbers. By default it sends three of these to the receiving TCP.It's only add-ons such as snortsam which extend firewall modification
capability, bringing snort more into the realm of IPS type functionality than IDS functionality.Snort_inline provides the sort of functionality being requested. (as you mention below).And really, this separation into different add-on tools allows snort to be as flexible as possible without becoming insanely bloated. Snort by itself focuses on being a good IDS, and projects like snortsam and inline-snort focus on firewall manipulation.- -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg key available) "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/V7+aEqr8+Gkj0/0RAu73AKCTcQGChrouiLNMW2wZzwlpu39EWgCgslmR eQlpDkzuoFxqtuonmdgy1Hw= =sqp6 -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg key available) "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/V9JeEqr8+Gkj0/0RAvkmAJ914jVNfg2dVRSnJFAzLA10ucrX7gCgs895 fqeBkctBZmwDZ7dw84E5pUs= =yfSm -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fbidsmate and watchguard firebox Hamilton, Robert (Sep 04)
- Re: fbidsmate and watchguard firebox Matt Kettler (Sep 04)
- Re: fbidsmate and watchguard firebox Jeff Nathan (Sep 04)
- Re: fbidsmate and watchguard firebox Jeff Nathan (Sep 04)
- Re: fbidsmate and watchguard firebox Matt Kettler (Sep 05)
- Re: fbidsmate and watchguard firebox Jeff Nathan (Sep 07)
- Re: fbidsmate and watchguard firebox Jeff Nathan (Sep 04)
- Re: fbidsmate and watchguard firebox Matt Kettler (Sep 04)
- <Possible follow-ups>
- RE: fbidsmate and watchguard firebox Hamilton, Robert (Sep 05)