[Snort-users] Using Snort code base to make an intelligent firewall
root at ...28...
Wed Nov 22 08:38:41 EST 2000
I have snort kinda setup to to this type of thing now. I have two
interfaaces in the snort box. One with no IP, hooked up to a span port on
a switch, the other with an IP, so I can ssh to the box, it can dump
its logs to MySQL running on a seperate box and it can respond. I have
two sets of "special" rules, one for daytime and one for
nighttime. During the day, good luck doing any streaming media, using
napster, gnutilla, etc. After business hours, its a free for all. During
the day I send both rst_all and icmp_all to TCP and just icmp_all to UDP
connections the violate my "rules". So far so good, it has made a
noticable, and I hope, measureable difference in thruput.
On Tue, 21 Nov 2000, Martin F Roesch wrote:
> What you guys are talking about is being called a "Gateway IDS" (GIDS)
> these days. The concept is that the IDS becomes the access control
> device, much like a standard firewall and decides what packets to pass
> on to the defended network and which ones to drop. This allows the IDS
> to determine when it allows traffic through based on its ability to
> recognize what's going on.
> This is a nice way of handling things because the GIDS becomes much more
> difficult to spoof/evade/insert bacause it doesn't pass on traffic it
> can't analyze. Additionally, it can be set up to automatically block
> attack attempts it sees and do a variety of other access control jobs.
> I've heard several people in the IDS industry talk about such things,
> but I haven't heard of one being implemented. If we wanted to implement
> one, we'd have to develop the low level firewalling code and then put a
> decision/detection engine on top of it to do packet/protocol level
> analysis. A prototype implementation could probably be put together by
> combining something like Snort and ipfilter or ipchains. Anyone want to
> take a stab at it? ;)
> Steve Hutchins wrote:
> > Apologies for being a bit off topic.
> > I'm sure I'm not the only person to have thought of this?!
> > If you have ever worked with stealth firewalls such as
> > SUNs Sunscreen or Lucent 'the brick' you might have thought
> > 'shit, these things are expensive! maybe they need to have
> > some open source competition'
> > (These tend to run with 2 or more interfaces in un-addressable
> > promisc mode, and an addressable admin interface, as a pseudo
> > gateway)
> > The other thing about these expensive firewalls, is although
> > they know how to do VPN's etc etc, they are not very intelligent
> > and block every thing that isn't in their rules list (quite a
> > good thing for a firewall).
> > But, why not have an intelligent firewall that doesn't explicitly
> > block everything (unless you tell it to), but will block anything
> > that looks like it is suspicious (ALA IDS rolled into a firewall).
> > This would allow Joe normal user through without any explicit rule.
> > Obviously, this type of firewall would best run as a 'quiet'
> > external firewall with a normal firewall inside.
> > Anyone thought about this or working on something similar?
> > Do people think this is a crap idea?
> > The reason I am mentioning this idea, is that I had it some
> > time ago, and haven't had the time to do anything with it.
> > Steve 'I'll creep back into my hole now' Hutchins
> > =========================================================
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> Martin Roesch
> roesch at ...421...
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Coordinator of Systems Administration and Network Security
Indiana State University. Rankin Hall Rm 039
210 N 7th St. Terre Haute, IN.
Voice: 812-237-8843 47809
"You have zero privacy anyway. Get over it."
--Scott McNealy, Sun MicroSystems.
More information about the Snort-users