Re: Snort& Intrusion Prevention

[Matt Kettler <mkettler () evi-inc com>]

At 09:10 AM 6/2/2004, Maetzky, Steffen (Extern) wrote:
> I'd like to compare some possabilities of using snort as IPS.
> I know the following plugins/ patches:
>
> Flexresp/ flexresp2, Snort-inline, Guardian, Snortsam
>
> I'd like to know if my understanding of them is right or not
> and if there are further advantages, disadvantages I have not listed and
> which depends directly to the architecture of one of the systems.
>
> My understanding of them is the following:
>
> 1. Snort is getting in "Inline-Mode" (what does "Inline-Mode" mean?) if I
> use flexresp, flexresp2 or snort-inline which means that snort can block
> activly.



"in-line" means just that.. the snort box is in-line with your data flow, 
much like a firewall box. It's got two ethernet interfaces, and data must 
go through the snort box, and can't go around it.

        Internet -------- inline-snort ------ your network

However, neither flexresp nor flexresp2 are inline type technologies, and 
they operate VERY differently than inline-snort.

flexresp and flexresp 2 work by attempting to desynchronize and reset a TCP 
connection, or use ICMP errors to attempt to report a fake error to one of 
the systems.

Most of your understandings are a bit flawed, so here's something more 
involved:

Flexresp/flexresp2 (or any other "spoofed packet" system)

        Advantages:
                snort is not in-line, making installation easy.
                No additional software, just a compile of snort 
--enable-flexresp
                DoS via spoofed packets by attacker unlikely, scope 
limited to killing one connection at best

Disadvantages:
                reacts "after the fact" and attempts to kill traffic after 
the rule was triggered (packet containing attack passes)
                requires the snort box to send packets into the monitored 
stream.. sniff-only tap impossible.
                unreliable, desynch attempts may fail, cunning attackers 
can make active attempts to evade it


inline-snort: (or any other "inline firewall IPS" type system that kills 
single packets or single connections)

        Advantages:
                reliable. Can block the packet containing the attack.
                kills only the attack packet
                DoS via spoofed packets by attacker unlikely, scope 
limited to killing one connection at best
        Disadvantages:
                requires in-line connection
                linux/iptables specific (BSD variant in development??)
                sniff-only tap impossible


Guardian, SnortSam (or any other reactive firewall-reconfig system that 
blocks hosts for a set period of time)
        Advantages:
                Depending on configuration, the snort sensor can be done 
with a sniff-only tap.
                semi-reliable. Can block the source of attack, although 
the attack itself will likely go through.
                can block any follow-on attacks which might not be 
detected by snort.
                Works on a wide variety of firewalls
                Can interface to a stand-alone firewall box or appliance.
        Disadvantages
                DoS via spoofed packets faking attacks from all over the 
world possible, can be mitigated partly via whitelists.
                reacts "after the fact" and attempts to kill traffic after 
the rule was triggered (packet containing attack passes)






-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users