RE: Snort Block Plugin.

[<CGhercoias () TWEC COM>]

Hi,

What if the attack (NMAP scan) comes from the same IP address with the
external interface of the firewall -- through the decoy function of
NMAP, or IP spoofing. How about ARP spoofing -- Cain and Abel software,
or ettercap?
How this piece of software deals with these scenarios?
Will this create a DOS on the firewall?


Thank you,
___________________________
Catalin A. Ghercoias
WEB/Network Security Administrator 

Office Phone: +(518) 452-1242 Ext.7435
Fax: (518) 452-4768
website: http://www.fye.com 

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
akhenato () montevideo com uy
Sent: Wednesday, May 26, 2004 6:46 AM
To: Snort List
Subject: [Snort-users] Snort Block Plugin.

Hi, I want to upload a contrib software that integrates with snort.
 
Introduction:
The objetive of this project is the creation of a software
that can be used to control the IP traffic arriving to a
server exposed to internet throught a firewall and there
is an NIDS (snort) detecting attack patterns.
As the NIDS detect an attack pattern, a rule is fired that
end with the creation of a filter in the firewall that drop
the traffic from the source address suspected.
The NIDS and the firewall are not needed to run on the same
system.
 
Description:
This software provides a server and a client applications that
integrates with snort to block any source IP address for a
specified time. The client must be run on the snort system and
is a snort plugin. The server must be installed (and running) in
a system acting as a firewall (where the netfilter rules are applied).
 
A rule must be configured in the snort rules files that fire
the plugin when the defined condition is reached.
 
I need some help to test and optimize this software, adding
features like encrypted communication between client and server,
and some others that can be practical for the project.




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users