Full Disclosure mailing list archives
Re: IDS Signatures
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 24 Feb 2005 14:01:58 -0600
On Thu, 2005-02-24 at 22:33 +0530, John Galt wrote:
I am also in the process of implementing a NIDS in Linux, only I am attempting to make it proactive, more like an IPS. As far as your work is concerned, do take a look at snort. [...] With regard to my task of making the system proactive, can some one give some pointers to me? Right now i have configured ssh as rsh, so remote execution is a breeze. I am controlling all traffic through a firewall, so that when snort sees as attack (say critical attack), i can have a script constantly parse the logs and block the offending IP at the firewall.
John, take a look at Snortsam (http://www.snortsam.net). Several years ago, I had script, like you have now, running on Snort and a Checkpoint firewall so that Snort could block there. That script was rewritten into a C app so that it allowed extended functionality like white lists and a sort of attack mitigation system. Also, running as a daemon has the advantage that multiple Snort sensors can request a block on multiple firewalls. I like to call it an Intrusion Response Network :) Snortsam supports a variety of firewalls, making it attractive as a single-shot comprehensive solution. You can configure it to block out attackers or port scanner, but you can also configure it to automatically isolate compromised hosts (stuff you would do by yourself, except that Snortsam does it within a second, even at 4am Sunday morning). For example, it can isolate a compromised DMZ server by causing the DMZ firewall to block all outbound (and inbound) access from/to that compromised box. Or it can block attackers from coming in. There are a few solution that do that, but I think the distributed nature of Snortsam makes it pretty attractive. You can detect an attacker (say Nessus scan or so) in your London office and block him in London, but also Tokyo, Frankfurt, New York, etc. Check it out, it might suit your needs well. Feel free to email me if you have questions. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IDS Signatures preeth k (Feb 22)
- RE: IDS Signatures Micheal Espinola Jr (Feb 22)
- Re: IDS Signatures Valdis . Kletnieks (Feb 22)
- Re: IDS Signatures John Galt (Feb 24)
- Re: IDS Signatures Frank Knobbe (Feb 24)
- Re: IDS Signatures John Galt (Feb 24)
- <Possible follow-ups>
- RE: IDS Signatures Michael Scheidell (Feb 22)