[Snort-users] Using Snort code base to make an intelligent firewall

A.L.Lambert alambert at ...387...
Tue Nov 21 20:22:50 EST 2000


	The closest thing I think could be safely done in this arena,
would be what snort's (I think) already capable of doing; which is doing
tcp or icmp reset's for connections that violate "rule X".  If you take
this built in capability, and set up rules to tcp/icmp_reset all
connections to non-valid/unwelcome ports on your network.  Then couple
that configuration with one which watches for "bad things" happening on
your allowed ports (ie: what snort does naturally), and send reset's of
the appropo variety on "bad thing" sessions.

	Now, further thought on my part (EEEK!), lends that when
configuring snort to send reset's, you can reset either end of the
connection, or both ends of the connection.  If you're actively sending
reset's to remote host's, then you just became a potential amplifier for a
packetflood type DoS, so what you really want to do is send reset's to the
local machines (ie: your $HOME_NET/$INTERNAL).

	Possibly other "bad things" lurking under the surface where I
don't see them at the moment, but so far I think my logic isn't too bad.
:)

	It still wouldn't be the same as a good firewall (IMHO), but I
think it's as close as we're gonna get to Steve's original concept, while
avoiding Jeff's appropo mentioned pitfall's of automatically denying
traffic based on various things.

	Comments anyone?  Anyone feel like whipping up a snort.org and/or
whitehats.com ruleset with the propper "react:" settings, and a template
for "deny everything but" ruleset?

	Cheers!

	--A.L.Lambert

> other reactive technology starts blocking hosts automatically.  Worse yet,
> what if they source spoof the address of any one of your anti-spam sendmail
> databases, large blocks of customer IP addresses or something similarly 
> dangerous?
> 
> It gets to be somewhat hairy...
>
> > that looks like it is suspicious (ALA IDS rolled into a firewall).
> > This would allow Joe normal user through without any explicit rule.
> > 
> > Obviously, this type of firewall would best run as a 'quiet'
> > external firewall with a normal firewall inside.
> > 
> > Anyone thought about this or working on something similar?
> > Do people think this is a crap idea?
> > 
> > The reason I am mentioning this idea, is that I had it some
> > time ago, and haven't had the time to do anything with it.







More information about the Snort-users mailing list