[Snort-users] Using Snort code base to make an intelligent firewall

Gene Ramon Gomez ggomez at ...677...
Wed Nov 22 10:18:54 EST 2000

The below is true; however, there's no reason why you can't create an
enhanced firewall by combining both concepts.  I believe I'm correct in
saying that most Internet-centric attacks begin with a few scans to find out
how many hosts, what OSes, what services, etc are running on your network.
If your firewall's got udp/53 and tcp/53 open, but there's potentially a new
DNS exploit you don't know about, doesn't that make the server running
behind this port open to attack?  Also, wouldn't you feel better if users
taking known hostile actions could be blocked by your firewall BEFORE they
could find this host?
GIDS, if we're calling them that, seem pretty interesting to me.  Developing
one based on Snort and iptables is a project I may undertake when I have
more time (which may be months from now).


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brock Henry
Sent: Tuesday, November 21, 2000 4:00 PM
To: Steve Hutchins
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Using Snort code base to make an intelligent

Hi Steve,

I'd personally rather the firewall block everyman and his dog, unless
explicitly told to allow something.

It's from opposite directions, the IDS picks up only suspicios activity,
and the firewall only allows through known-good activity.

When a new exploit comes out, the IDS won't log it, but the firewall WILL
block it, even before you know about it. This is how it should be.

Brock Henry

At 09:51 22/11/2000 +1300, you wrote:
>Apologies for being a bit off topic.
>I'm sure I'm not the only person to have thought of this?!
>If you have ever worked with stealth firewalls such as
>SUNs Sunscreen or Lucent 'the brick' you might have thought
>'shit, these things are expensive! maybe they need to have
>some open source competition'
>(These tend to run with 2 or more interfaces in un-addressable
>promisc mode, and an addressable admin interface, as a pseudo
>The other thing about these expensive firewalls, is although
>they know how to do VPN's etc etc, they are not very intelligent
>and block every thing that isn't in their rules list (quite a
>good thing for a firewall).
>But, why not have an intelligent firewall that doesn't explicitly
>block everything (unless you tell it to), but will block anything
>that looks like it is suspicious (ALA IDS rolled into a firewall).
>This would allow Joe normal user through without any explicit rule.
>Obviously, this type of firewall would best run as a 'quiet'
>external firewall with a normal firewall inside.
>Anyone thought about this or working on something similar?
>Do people think this is a crap idea?
>The reason I am mentioning this idea, is that I had it some
>time ago, and haven't had the time to do anything with it.
>Steve 'I'll creep back into my hole now' Hutchins
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

Brock Henry - brockh at ...827... (H) - bhenry at ...826... (W)

Adventure? Excitement? A Jedi craves not these things.

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list