Snort mailing list archives

Re: Hogwash for Windows

From: "Scot Scot" <scotw () hotmail com>
Date: Thu, 10 Jul 2003 01:25:07 -0500

At 08:44 AM 7/9/2003 -0400, Joe Kinsella wrote:

Is there an equivalent of Hogwash for the Windows version of snort?  I

have

a good rule set for one of my servers and would like to drop offending
packets.


From: "Matt Kettler"
Sent: Wednesday, July 09, 2003 8:14 PM

Given that windows itself does not have a built-in packet filter or
firewall along the lines of what iptables is, windows can't do this

without

commercial add-ons.

The best you can do is to get snortsam to talk to checkpoint firewall-1,
which is a commercial software firewall which runs on windows.

This is similar to hogwash, but runs slightly-less realtime, and costs $
for a copy of firewall-1. I'd also advise doing some searching for bugtraq
posts on firewall-1 and compare it to the number about other firewalls
prior to buying it. I'm not sure if it's better or not, but certainly

worth

doing some minimal research prior to spending money on it.

I'm also not sure quite how much FW-1 costs, but I've read it referred to
as being a market leader, and a market leader in price as well.


Option 1:
Windows has a variety of packet filters. One may configure this using the
RRAS
(Routing and Remote Access) API's to tag offending IP's and block them,
although this requires some
MS programming knowledge it is "built-in" to the operating system. Also if
you are comfortable working with
NDIS intermediary drivers I am aware that there is a capability there also.

Option 2-3:
IPsec Filtering
ICF (Internet Connection Firewall) Available in WinXP & Win2003srv. (Note:
ICF provides statful inspection
although it is only on inbound traffic).

Option 4:
On a more practical note, take a look at the following sourceforge project:

PktFilter: http://sourceforge.net/projects/pktfilter/

Just my 2.0134 cents worth (tax included)
Scot Wiedenfeld




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Hogwash for Windows Joe Kinsella (Jul 09)
- <Possible follow-ups>
- Re: Hogwash for Windows Matt Kettler (Jul 09)
  - Re: Hogwash for Windows Scot Scot (Jul 10)
- RE: Hogwash for Windows Lars Troen (Jul 10)