[Snort-users] Using Snort code base to make an intelligent firewall

Dr SuSE drsuse at ...748...
Tue Nov 21 04:50:38 EST 2000

Hmmm, the idea sounds good but one thing you have to remember is that IDS
isn't 100% effective.  There will always be false positives and unless you
have an ear to the ground your not going to know about the latest attacks
or vulnerabilities that havn't been published so your smart firewall/ids
wont know to block these things.  The good rule as always is to block
everything then open what you need as you go.  I guess NIDS would be the
opposite, sniff everything then pass what you dont need to sniff.

Then again I'm not a security expert so take what I say with a grain of
salt :)

While were on the subject of firewalls, let me share something with you
that I got a kick out of.  A friend of mine called me yesterday and asked
if I would run a Nessus scan against a Raptor/NT firewall that his company
just had installed by a vendor about a month ago. 
 Well, after the scan my buddy was in shock. 
 The firewall was setup to allow everything inbound heck I was even
able to get the netbios table from the NT box since 139 was left open.  


"Microsoft ist nicht installiert"

On Wed, 22 Nov 2000, Steve Hutchins wrote:

> Apologies for being a bit off topic.
> I'm sure I'm not the only person to have thought of this?!
> If you have ever worked with stealth firewalls such as
> SUNs Sunscreen or Lucent 'the brick' you might have thought
> 'shit, these things are expensive! maybe they need to have
> some open source competition'
> (These tend to run with 2 or more interfaces in un-addressable
> promisc mode, and an addressable admin interface, as a pseudo
> gateway)
> The other thing about these expensive firewalls, is although
> they know how to do VPN's etc etc, they are not very intelligent
> and block every thing that isn't in their rules list (quite a
> good thing for a firewall).
> But, why not have an intelligent firewall that doesn't explicitly
> block everything (unless you tell it to), but will block anything
> that looks like it is suspicious (ALA IDS rolled into a firewall).
> This would allow Joe normal user through without any explicit rule.
> Obviously, this type of firewall would best run as a 'quiet'
> external firewall with a normal firewall inside.
> Anyone thought about this or working on something similar?
> Do people think this is a crap idea?
> The reason I am mentioning this idea, is that I had it some
> time ago, and haven't had the time to do anything with it.
> Steve 'I'll creep back into my hole now' Hutchins
> =========================================================
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list