Re: react: block not working

["Micheal.Cottingham" <micheal.cottingham () svccchr1 sv vccs edu>]

At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
> As per the subject, react: block does not seem to be working. ACID is 
> still picking up the alerts even though react: block is set. An example
> rule is:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP 
> Packet"; dsize: > 800; react: block; reference: arachnids, 246;
> side: 499; rev: 3 classtype: bad-unknown;)


> You probably need to get a MUCH better understanding of what react:block 
> does before you use it further.

> http://www.snort.org/docs/snort_manual/node16.html#SECTION00374000000000000000

> 1) react:block is NOT a firewall
> 2) react:block will NOT stop subsequent attempts
> 3) react:block will not prevent the current packet alerted on from entering 
> your network.
> 4) react:block does nothing useful when used on ICMP packets.

> React:block _does_ however _attempt_ to reset a connection by using the 
> flexresp system. This, if successful, prevents any more data in the given 
> session from entering your network.... ICMP messages are sessionless, and 
> there's little of any value that can be done to them after-the-fact.

Figures I missed something. heh. We do have two Cisco PIX, one primary, one failover for this site of our institution. 
However, for various 
reasons, we need IDS/IPS. I realize we can make the firewall do some of the stuff for us. However, there have been some 
things that the 
firewall would not be able to do.

At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
> am doing this for other things such as MSSQL Propogation Attempt, NMAP 
> Ping, etc. I especially want to block ICMP Large Packet as the
> TTL's have been modified, and the payload is a bit screwy to say the 
> least. MSSQL Propogation Attempt is another big one on my list. I am in a
> pure windows environment and my boss is not favorable of *nix, so hogwash 
> is out of the question I'm afraid. snort-inline is also just *nix if I
> am not mistaken, is it not? I am using Snort 2.1. Any help would be 
> greatly appreciated

> Whoops, sorry, missed the second half...

> Really, since Windows doesn't come with a flexible scriptable firewall, 
> there's little that you can do directly on a windows box itself.

> If you must stick to windows-only you can buy a copy of CheckPoint FW/1 for 
> your Windows box and use snortsam.

Believe me, if I had my way, we'd be on at least some *nix machines, if not all.

> Although for the money I'd recommend not buying FW/1 and getting a separate 
> firewall box and have snortsam command that. For the price of FW/1 you 
> should be able to buy a Cisco PIX or Watchguard firebox. From what I read 
> on the net, Checkpoint can be pretty pricey.

Yeah, as I said above, we do have two Cisco PIX firewalls, but for various reasons, we need IDS/IPS.

> Snortsam can handle a variety of firewalls and can run with snort on a 
> windows box :
> http://www.snortsam.net/

Thank you. I'll take a look at this. Will this provide what we want? As I mentioned before, we want to block/drop ICMP, 
UDP, and TCP packets.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users