Snort mailing list archives
Relationship between snort and ipchains and security strategies
From: Steven () heimann com au
Date: Mon, 20 Aug 2001 08:31:01 +1000
I am sorry if the following rambles and sounds naive. I am trying to improve our security and am still trying to get my head around the different strategies and how they work together. In the past I have relied on blocking everything except essential sevices and trying to keep those exposed services reasonably up to date to avoid known vulnerabilities. It doesn't seem that this is enough any more. I am looking at what sort of automated response I can make to things like CodeRed. Although we were never vulnerable to this particular attack it is these sorts of probes to services that I must have open that are really the problem. I would like to go a little further than just logging the attempts via Snort. I have fiddled with Guardian for a while and it now seems to be working. (Well at least it is adding deny rules to ipchains) I am a little confused though because even if an ip address is blocked snort still seems to log WEB-IIS cmd.exe access attempts from that address. Either I have broken my ipchains setup or perhaps snort gets to see the packets before ipchains does. ( I had to modify my ipchains setup to get it to work with Guardian so it is quite possible I have broken something. ) I have been looking at the documentaion on Snort but I couldn't find anything about how it and ipchains integrate with the ip stack. (Understanding the source is beyond my abilities.) Could someone please briefly explain how snort does this and how this would relate to ipchains. i.e. Does snort get the packet before ipchains or is my setup wrong? Guardian is not like Portsentry as it works by examining Snort logs. I understand that Portsentry is able to respond to probes quickly enough that the attacker does not even get a response to their first probe. Guardian seems to monitor the portsentry log once each second. This may mean that the attacker has opened up the vulnerability before Guardian has responded. I have shot myself in the foot several times in the past with Portsentry. A simple attempt to attach to a port does not necessarily signify bad intent. Portsentry is useless if the only open ports are those which need to be open for public services. At least Snort rules generally try to identify the intent of the probe so blocking ip's based on Snort may not be so likely to cause problems. I have just recompiled Snort to enable FlexResp. I have not yet modified any rules to try to reset connections. The doco refers to it as alpha code only. Does anyone use it on production servers? It seems that FlexResp in connection with something like Guardian may be a useful combination. Is anyone else using Guardian? The ipchains code in v1.3 seemed to be broken. My logs are full of repeated CodeRed attempts. I would like to be informed once so I know what is going on and then have that ip blocked for say a week so my logs are useable. Am I heading down a useful path? Where could I find some information on what strategies others are using? regards Steven _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Relationship between snort and ipchains and security strategies Steven (Aug 19)
- Re: Relationship between snort and ipchains and security strategies John Sage (Aug 19)
- RE: Relationship between snort and ipchains and security strategies John Berkers (Aug 20)
- Re: Relationship between snort and ipchains and security strategies John Sage (Aug 19)