Relationship between snort and ipchains and security strategies

[Steven () heimann com au]

I am sorry if the following rambles and sounds naive.  I am trying to
improve our security and am still trying to get my head around the
different strategies and how they work together.  In the past I have relied
on blocking everything except essential sevices and trying to keep those
exposed services reasonably up to date to avoid known vulnerabilities.  It
doesn't seem that this is enough any more.

I am looking at what sort of automated response I can make to things like
CodeRed.  Although we were never vulnerable to this particular attack it is
these sorts of probes to services that I must have open that are really the
problem.  I would like to go a little further than just logging the
attempts via Snort.

I have fiddled with Guardian for a while and it now seems to be working.
(Well at least it is adding deny rules to ipchains)  I am a little confused
though because even if an ip address is blocked snort still seems to log
WEB-IIS cmd.exe access attempts from that address.  Either I have broken my
ipchains setup or perhaps snort gets to see the packets before ipchains
does.  ( I had to modify my ipchains setup to get it to work with Guardian
so it is quite possible I have broken something. )

I have been looking at the documentaion on Snort but I couldn't find
anything about how it and ipchains integrate with the ip stack.
(Understanding the source is beyond my abilities.)  Could someone please
briefly explain how snort does this and how this would relate to ipchains.
i.e. Does snort get the packet before ipchains or is my setup wrong?

Guardian is not like Portsentry as it works by examining Snort logs.  I
understand that Portsentry is able to respond to probes quickly enough that
the attacker does not even get a response to their first probe.  Guardian
seems to monitor the portsentry log once each second.  This may mean that
the attacker has opened up the vulnerability before Guardian has responded.
I have shot myself in the foot several times in the past with Portsentry.
A simple attempt to attach to a port does not necessarily signify bad
intent.  Portsentry is useless if the only open ports are those which need
to be open for public services.  At least Snort rules generally try to
identify the intent of the probe so blocking ip's based on Snort may not be
so likely to cause problems.

I have just recompiled Snort to enable FlexResp.  I have not yet modified
any rules to try to reset connections.  The doco refers to it as alpha code
only.  Does anyone use it on production servers?  It seems that FlexResp in
connection with something like Guardian may be a useful combination.  Is
anyone else using Guardian?  The ipchains code in v1.3 seemed to be broken.

My logs are full of repeated CodeRed attempts.  I would like to be informed
once so I know what is going on and then have that ip blocked for say a
week so my logs are useable.

Am I heading down a useful path?  Where could I find some information on
what strategies others are using?

regards
Steven




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users