Re: Configuring snort as IPS

[Joel Esler <jesler () sourcefire com>]

Author,  and the book was outdated when it was published, and people are still buying it and I still receive a check 
from it.  But if I could, I'd pull the book from every shelf, because all it does is make my current job as community 
manager harder.  It covered Snort version 2.6  and was written during Snort 2.5, if that tells you the age of the book. 
 There were several chapters (including several mistakes in my own chapter) that are just plain wrong.  I edited 
several chapters of the book, and the changes were so heavy that they deemed I essentially rewrote them, and they 
couldn't publish them as I wrote them because then the original author wouldn't get paid.  

Yes, I still have my edits, no I won't tell you which chapters.  Yes Sourcefire has been approached about publishing 
another book. 

There is a distinct difference in between reactive and active.

The old Snort_inline was active.  Snort with an inline DAQ now is active.  Snortsam is re-active.  Snort with flexresp2 
or flexresp3 and the react keyword is reactive.  Snortsam, flex, etc will not block the attack in realtime.  Flex will 
/attempt/ to reset the connection, but I think we've had enough discussion on this list to prove that that approach 
works "sometimes".

Snortsam is completely after the fact.  Snort alerts, writes to unified2, barynard2 reads the unified2 and processes 
the command to block, sends the block over to the firewall.  Yes, it's quick, but the attack already went by and who 
knows what else has now went on?  A backdoor, a reverse shell to a third machine?  

Snort in inline mode is active.  It can block in real time.  I see nothing wrong with both approaches for additional 
security.  But if I had to pick one, I'd pick the active mode.   Snortsam as an add on isn't a bad idea, like you said, 
to block the hostile host.  But then again, they can just change IPs.

J

On Jan 25, 2012, at 9:27 AM, Kevin Ross wrote:

> But reactive response isn't good marketing terminology :-p Then again you are actively responding to the attack and 
> it is the response that may highlight the post alert nature of it. You are still reacting to something that has 
> happened. Then again there are books like:
> - Intrusion Prevention and Active Response: Deploying Host and Network IPS
> - Also in the Snort IDS/IPS Toolkit you appear as a contributer/author/technical editor (whatever it was) and it has: 
> Chapter 12: Active Response and Intrusion Prevention. How come not Reactive Response? ;-p lol
>
> Besides I take the view ideally yes attack should be dropped inline but I like to block the hostile host so they 
> can't retry.
>
> Kev
>
>
>
> On 24 January 2012 16:16, Joel Esler <jesler () sourcefire com> wrote:
> Okay, I'm going to be pedantic for a minute.
>
> Snortsam isn't "active response" it's "reactive response".  It will take action after "x" occurs, post alert.  IPS, 
> by our definition is the ability to drop a packet inline, meaning at alert time.  
>
> I also don't think you have to patch Snort anymore to get Snortsam.  I think it's built into Barynard2 now.
>
> On Tue, Jan 24, 2012 at 8:27 AM, Fabio Almeida <mentesan () gmail com> wrote:
> Hi Sandip,
>
> Active response with http://www.snortsam.net/
>
> Great and flexible solution, works on many firewall systems and you can use on various Snort Sensors, and firewall 
> boxes.
>
> Fabio Almeida
> Em 24/01/2012, às 08:09, Sandip Bankewar escreveu:
>
> > Hi,
> >  
> > I don’t want my system to be act as gateway.
> >  
> > What is the best way to configure snort as IPS??
> >  
> > How can we configure?? Can anyone provide me steps??
> >  
> >  
> > Regards,
> > Sandip Bankewar
> >  
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iQEcBAEBAgAGBQJPHrHAAAoJEOvN6k4KDu4agFsH/1e/bytty+QBacvwYDdhawrA
> 6f+ua6lerdaZwLJ1Ll9NCSDO1WMACikfAn1jSB+3eGzNYvB4xUPYZk5p5HJHCN8K
> ISm8sDk/wcfnN9FcBKX+Czqt7XMYL93KMZvSI8q+bwGTlliGaDkzwhcLMKd1SY+d
> XySYt6XuWbk002Sx/ummcy4kGGr4v48FCsBo4fNlWBVACsmcp7vCx0QPcfw+MGp9
> MMC/HW+CjXJrXeET/W5hzoRICSRSEfx7dEDLsrMcFiaWc56kMmoG7c2cRmlnNzTq
> 4/Pw0wNmoxGM48A/Rt1JI8M93gs6LjFCEkWO2+L7aaalFSftzqmUwYxTZy877aU=
> =uJq6
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> -- 
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | 
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort
>
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!