RE: fbidsmate and watchguard firebox

["Hamilton, Robert" <rhamilton () anteon com>]

Very insightful discourse guys .... Thanks!

-Rob

-----Original Message-----
From: Jeff Nathan [mailto:jeff () snort org] 
Sent: Thursday, September 04, 2003 7:02 PM
To: Matt Kettler
Cc: Hamilton, Robert; snort-users () lists sourceforge net
Subject: Re: [Snort-users] fbidsmate and watchguard firebox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I forgot to add that SnortSam *ALSO* adds the functionality in question!

- -Jeff

On Thursday, September 4, 2003, at 03:41 PM, Jeff Nathan wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt,
>
> well stated.  I just wanted to clarify.
>
> On Thursday, September 4, 2003, at 02:24 PM, Matt Kettler wrote:
>
> > At 04:08 PM 9/4/2003 -0400, Hamilton, Robert wrote:
> >
> > > Any way to directly call fbidsmate from snort alert rules?
> >
> > Directly from snort there is no way to call *any* firewall tool.
> >
> > Fundamentally out of the box snort is an IDS and only an IDS. It has 
> > no support for reconfiguring any firewalls of any sort. No support 
> > for IpTables, IPF, cisco, watchguard, or any other kind of firewall 
> > is present.
> >
> > It does have a *very* limited ability to attempt to kill offensive 
> > connections using flexresp, but this doesn't reconfigure a firewall..

> > "react:block" just causes flexresp to generate some tcp reset packets

> > or icmp unreachable messages. It is however not reliable when racing 
> > against an educated attacker (If the attacker knows flexresp is going

> > to issue a reset in response to an attack, they can attempt to 
> > advance the sequence number before flexresp can respond. Flexresp is 
> > being improved to help avoid this, but it still fundamentally boils 
> > down to a race where flexresp has the speed advantage, but the 
> > attacker has the advantage of knowing when the race will start and 
> > can be prepared in advance. .)
>
> The react keyword implements HTTP (application layer) blocking by 
> returning HTTP data to the client browser.  The resp keyword performs 
> the active response that you're describing above.
>
> Flexresp2, released yesterday, uses a brute force approach for 
> desynchronizing TCP connections.  The biggest hinderance in this race 
> is TCP stream reassembly.  Essentially, TCP segments are coalesced 
> before the detection plugins even get them, making active response 
> really tough.
>
> While an attacker can try to advance their sequence numbers outside 
> the range used by flexresp2, they can't do this easily.  This sort of 
> attack would require some sort of event-based logic to track the state

> of the connection used for the attack and would have to "cook" 
> ethernet frames and avoid the actual TCP/IP stack.
>
> Flexresp2 already does this :)  It makes a few assumptions on the rate

> of ACK number consumption and attempts to send a TCP reset packet with

> an ACK number that lands within the acceptable range of sequence 
> numbers.  By default it sends three of these to the receiving TCP.
>
> > It's only add-ons such as snortsam which extend firewall modification

> > capability, bringing snort more into the realm of IPS type 
> > functionality than IDS functionality.
>
> Snort_inline provides the sort of functionality being requested. (as 
> you mention below).
>
> > And really, this separation into different add-on tools allows snort 
> > to be as flexible as possible without becoming insanely bloated. 
> > Snort by itself focuses on being a good IDS, and projects like 
> > snortsam and inline-snort focus on firewall manipulation.
>
> - -Jeff
>
> - --
> http://cerberus.sourcefire.com/~jeff       (gpg key available)
> "Great spirits have always encountered violent opposition from
> mediocre minds."   - Albert Einstein
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (Darwin)
>
> iD8DBQE/V7+aEqr8+Gkj0/0RAu73AKCTcQGChrouiLNMW2wZzwlpu39EWgCgslmR
> eQlpDkzuoFxqtuonmdgy1Hw=
> =sqp6
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
"Great spirits have always encountered violent opposition from
mediocre minds."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/V9JeEqr8+Gkj0/0RAvkmAJ914jVNfg2dVRSnJFAzLA10ucrX7gCgs895
fqeBkctBZmwDZ7dw84E5pUs=
=yfSm
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users