[Snort-users] Using Snort code base to make an intelligent firewall

F.M. Taylor root at ...28...
Wed Nov 22 08:38:41 EST 2000


I have snort kinda setup to to this type of thing now.  I have two
interfaaces in the snort box.  One with no IP, hooked up to a span port on
a switch, the other with an IP, so I can ssh to the box, it can dump
its logs to MySQL running on a seperate box and it can respond.  I have
two sets of "special" rules, one for daytime and one for
nighttime.  During the day, good luck doing any streaming media, using
napster, gnutilla, etc.  After business hours, its a free for all.  During
the day I send both rst_all and icmp_all to TCP and just icmp_all to UDP
connections the violate my "rules".  So far so good, it has made a
noticable, and I hope, measureable difference in thruput.

On Tue, 21 Nov 2000, Martin F Roesch wrote:

> What you guys are talking about is being called a "Gateway IDS" (GIDS)
> these days.  The concept is that the IDS becomes the access control
> device, much like a standard firewall and decides what packets to pass
> on to the defended network and which ones to drop.  This allows the IDS
> to determine when it allows traffic through based on its ability to
> recognize what's going on.  
> 
> This is a nice way of handling things because the GIDS becomes much more
> difficult to spoof/evade/insert bacause it doesn't pass on traffic it
> can't analyze.  Additionally, it can be set up to automatically block
> attack attempts it sees and do a variety of other access control jobs. 
> 
> I've heard several people in the IDS industry talk about such things,
> but I haven't heard of one being implemented.  If we wanted to implement
> one, we'd have to develop the low level firewalling code and then put a
> decision/detection engine on top of it to do packet/protocol level
> analysis.  A prototype implementation could probably be put together by
> combining something like Snort and ipfilter or ipchains.  Anyone want to
> take a stab at it? ;)
> 
>      -Marty
> 
> Steve Hutchins wrote:
> > 
> > Apologies for being a bit off topic.
> > 
> > I'm sure I'm not the only person to have thought of this?!
> > 
> > If you have ever worked with stealth firewalls such as
> > SUNs Sunscreen or Lucent 'the brick' you might have thought
> > 'shit, these things are expensive! maybe they need to have
> > some open source competition'
> > (These tend to run with 2 or more interfaces in un-addressable
> > promisc mode, and an addressable admin interface, as a pseudo
> > gateway)
> > 
> > The other thing about these expensive firewalls, is although
> > they know how to do VPN's etc etc, they are not very intelligent
> > and block every thing that isn't in their rules list (quite a
> > good thing for a firewall).
> > 
> > But, why not have an intelligent firewall that doesn't explicitly
> > block everything (unless you tell it to), but will block anything
> > that looks like it is suspicious (ALA IDS rolled into a firewall).
> > This would allow Joe normal user through without any explicit rule.
> > 
> > Obviously, this type of firewall would best run as a 'quiet'
> > external firewall with a normal firewall inside.
> > 
> > Anyone thought about this or working on something similar?
> > Do people think this is a crap idea?
> > 
> > The reason I am mentioning this idea, is that I had it some
> > time ago, and haven't had the time to do anything with it.
> > 
> > Steve 'I'll creep back into my hole now' Hutchins
> > =========================================================
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> 
> --
> Martin Roesch
> roesch at ...421...
> http://www.snort.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 

---
Mike Taylor
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 039
210 N 7th St.                           Terre Haute, IN.
Voice: 812-237-8843                                  47809
---
"You have zero privacy anyway.  Get over it."
           --Scott McNealy, Sun MicroSystems. 




More information about the Snort-users mailing list