[Snort-devel] Where to do the stuff?
roesch at ...48...
Fri Jan 26 00:44:59 EST 2001
What Todd is working on is what I (and at least a few other people) call
a "Gateway IDS" (GIDS), I've also heard it called a "packet scrubber" a
few times. A GIDS sits astride the data stream like a firewall and
makes decisions about whether to pass or fail packets not only based on
its packet filter setting, but also on its ability to decide whether a
packet stream is hostile or not. In the case of a GIDS, when it detects
hostile activity it can interdict that activity directly without having
to go through a separate interface and reconfiguring the firewall. In
this mode, it also makes it potentially harder to confuse the IDS,
because if the GIDS can't determine what's going on in a data stream
that it's monitoring (e.g. overlapping IP frags with duplicate
fragments, a rarity in the real world unless someone is attacking you
and trying to evade your IDS), it has the option of shutting a stream
down in a more granular fashion than a standard "block this subnet" ACL
on a firewall.
> According to Todd Lewis:
> > Ok, I want to use the following syntax:
> > alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);
> > The verdict will be one of "accept", "drop", or "reject", which
> > will map to PA_PACKET_VERDICT_ACCEPT, PA_PACKET_VERDICT_DROP,
> > PA_PACKET_VERDICT_REJECT. If no verdict is specified, then the rule
> > will be set to PA_PACKET_VERDICT_NO_ACTION.
> Is snort the place to do this? I would think the best place to put those
> types of things would be on a firewall. You wouldn't want to put a verdict
> on an ongoing session. Just use RESP or REACT. OF course, react needs some
> work, but the idea is there.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
roesch at ...48...
More information about the Snort-devel