RE: Snort-Inline and worm containment

["Rob Shein" <shoten () starpower net>]

The Honeynet Project uses a variant of Snort-Inline for an almost identical
purpose in their 2nd Generation Honeynets.  Their goal is to prevent the
compromise of other networks or hosts due to attacks originating from the
Honeynet.  The difference is that while they only prevent outbound traffic
from having an impact, I imagine you're considering the opposite.  Their
implementation also allows the traffic out, but munges parts of it to render
it ineffective against the outside target.

On the downside, however, they have little to worry about in the way of
false positives; it's a honeynet, so any traffic in or outbound from it is
almost certain to be hostile, and is definitely not of any production value
(as we normally consider the term).

> -----Original Message-----
> From: Tom McLaughlin [mailto:tmclaugh () sdf lonestar org] 
> Sent: Tuesday, January 28, 2003 9:19 PM
> To: focus-ids () securityfocus com
> Subject: Snort-Inline and worm containment
>
>
> Hi everyone, 
>
> The recent Slammer worm made me think a little about using 
> Snort-Inline for some form of network worm containment 
> purposes.  I did a quick Google search and found little on 
> the idea.  Has anyone found or written anything on using 
> Snort-Inline to prevent the spread of viruses across a 
> network?  Think about the benefits to an organization of 
> being able to confine virus outbreaks to particular segments 
> of a network and not having problems effect the stability of 
> the remaining users, or more importantly, spreading across a 
> network to the point of overwhelming available resources. 
>
> Thanks, 
> Tom 
>
> -- 
> Mandrake Cooker + Honeypot = http://cookerpot.linsec.ca