[Snort-devel] Where to do the stuff?

Martin Roesch roesch at ...48...
Fri Jan 26 00:44:59 EST 2001

What Todd is working on is what I (and at least a few other people) call
a "Gateway IDS" (GIDS), I've also heard it called a "packet scrubber" a
few times.  A GIDS sits astride the data stream like a firewall and
makes decisions about whether to pass or fail packets not only based on
its packet filter setting, but also on its ability to decide whether a
packet stream is hostile or not.  In the case of a GIDS, when it detects
hostile activity it can interdict that activity directly without having
to go through a separate interface and reconfiguring the firewall.  In
this mode, it also makes it potentially harder to confuse the IDS,
because if the GIDS can't determine what's going on in a data stream
that it's monitoring (e.g. overlapping IP frags with duplicate
fragments, a rarity in the real world unless someone is attacking you
and trying to evade your IDS), it has the option of shutting a stream
down in a more granular fashion than a standard "block this subnet" ACL
on a firewall.


Brian wrote:
> According to Todd Lewis:
> > Ok, I want to use the following syntax:
> >
> >   alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);
> >
> > The verdict will be one of "accept", "drop", or "reject", which
> > PA_PACKET_VERDICT_REJECT.  If no verdict is specified, then the rule
> > will be set to PA_PACKET_VERDICT_NO_ACTION.
> Is snort the place to do this?  I would think the best place to put those
> types of things would be  on a firewall.  You wouldn't want to put a verdict
> on an ongoing session.   Just use RESP or REACT.  OF course, react needs some
> work, but the idea is there.
> -brian
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list