[Snort-users] Using Snort code base to make an intelligent firewall

Brock Henry bhenry at ...826...
Tue Nov 21 19:00:17 EST 2000

Hi Steve,

I'd personally rather the firewall block everyman and his dog, unless 
explicitly told to allow something.

It's from opposite directions, the IDS picks up only suspicios activity, 
and the firewall only allows through known-good activity.

When a new exploit comes out, the IDS won't log it, but the firewall WILL 
block it, even before you know about it. This is how it should be.

Brock Henry

At 09:51 22/11/2000 +1300, you wrote:
>Apologies for being a bit off topic.
>I'm sure I'm not the only person to have thought of this?!
>If you have ever worked with stealth firewalls such as
>SUNs Sunscreen or Lucent 'the brick' you might have thought
>'shit, these things are expensive! maybe they need to have
>some open source competition'
>(These tend to run with 2 or more interfaces in un-addressable
>promisc mode, and an addressable admin interface, as a pseudo
>The other thing about these expensive firewalls, is although
>they know how to do VPN's etc etc, they are not very intelligent
>and block every thing that isn't in their rules list (quite a
>good thing for a firewall).
>But, why not have an intelligent firewall that doesn't explicitly
>block everything (unless you tell it to), but will block anything
>that looks like it is suspicious (ALA IDS rolled into a firewall).
>This would allow Joe normal user through without any explicit rule.
>Obviously, this type of firewall would best run as a 'quiet'
>external firewall with a normal firewall inside.
>Anyone thought about this or working on something similar?
>Do people think this is a crap idea?
>The reason I am mentioning this idea, is that I had it some
>time ago, and haven't had the time to do anything with it.
>Steve 'I'll creep back into my hole now' Hutchins
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

Brock Henry - brockh at ...827... (H) - bhenry at ...826... (W)

Adventure? Excitement? A Jedi craves not these things.

More information about the Snort-users mailing list