[Snort-users] Using Snort code base to make an intelligent f irewall

Steve Hutchins Steve.Hutchins at ...277...
Wed Nov 22 15:42:31 EST 2000

The thing with Snort, is that it could be a very flexible IDS firewall.
Because the rules are so easy to create, there could be several possible
responses to suspicious or rule denied packets (drop, reset, unreachable,
inject strange responses :o).

I think firewalls have to get more intelligent and flexible and my personal
view is that fws and IDS will have to merge.
If you think about the standard log entry from someone trying to connect
to a controlled or denied port: time, drop, src, dest, srcprt, dstport, rule
This doesn't tell you zip about it.
The output from a snort GIDS/fw could tell you a lot more.
At the moment, when I get an alert from the firewall, I then look for
from an IDS to give me more info on whether I need to do anything.

I still think that this type of firewall should be an external gateway to
an internal standard firewall (at the moment).

I think this is place where snort can create a new market.

I can give some time to this, if there are others who can help.
Unfortunately, I don't have the time to make this happen on my own.


-----Original Message-----
From: Gene Ramon Gomez [mailto:ggomez at ...677...]
Sent: Thursday, 23 November 2000 4:19 
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Using Snort code base to make an intelligent

The below is true; however, there's no reason why you can't create an
enhanced firewall by combining both concepts.  I believe I'm correct in
saying that most Internet-centric attacks begin with a few scans to find out
how many hosts, what OSes, what services, etc are running on your network.
If your firewall's got udp/53 and tcp/53 open, but there's potentially a new
DNS exploit you don't know about, doesn't that make the server running
behind this port open to attack?  Also, wouldn't you feel better if users
taking known hostile actions could be blocked by your firewall BEFORE they
could find this host?
GIDS, if we're calling them that, seem pretty interesting to me.  Developing
one based on Snort and iptables is a project I may undertake when I have
more time (which may be months from now).


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Brock Henry
Sent: Tuesday, November 21, 2000 4:00 PM
To: Steve Hutchins
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Using Snort code base to make an intelligent

Hi Steve,

I'd personally rather the firewall block everyman and his dog, unless
explicitly told to allow something.

It's from opposite directions, the IDS picks up only suspicios activity,
and the firewall only allows through known-good activity.

When a new exploit comes out, the IDS won't log it, but the firewall WILL
block it, even before you know about it. This is how it should be.

Brock Henry

At 09:51 22/11/2000 +1300, you wrote:
>Apologies for being a bit off topic.
>I'm sure I'm not the only person to have thought of this?!
>If you have ever worked with stealth firewalls such as
>SUNs Sunscreen or Lucent 'the brick' you might have thought
>'shit, these things are expensive! maybe they need to have
>some open source competition'
>(These tend to run with 2 or more interfaces in un-addressable
>promisc mode, and an addressable admin interface, as a pseudo
>The other thing about these expensive firewalls, is although
>they know how to do VPN's etc etc, they are not very intelligent
>and block every thing that isn't in their rules list (quite a
>good thing for a firewall).
>But, why not have an intelligent firewall that doesn't explicitly
>block everything (unless you tell it to), but will block anything
>that looks like it is suspicious (ALA IDS rolled into a firewall).
>This would allow Joe normal user through without any explicit rule.
>Obviously, this type of firewall would best run as a 'quiet'
>external firewall with a normal firewall inside.
>Anyone thought about this or working on something similar?
>Do people think this is a crap idea?
>The reason I am mentioning this idea, is that I had it some
>time ago, and haven't had the time to do anything with it.
>Steve 'I'll creep back into my hole now' Hutchins
>Snort-users mailing list
>Snort-users at lists.sourceforge.net

Brock Henry - brockh at ...827... (H) - bhenry at ...826... (W)

Adventure? Excitement? A Jedi craves not these things.

Snort-users mailing list
Snort-users at lists.sourceforge.net

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list