[Snort-users] Dropping Connections

Frank Knobbe FKnobbe at ...649...
Fri Mar 23 14:36:24 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > -----Original Message-----
> > From: Chris Green [mailto:cmg at ...671...]
> > Sent: Friday, March 23, 2001 1:21 PM
> > 
> > I believe There will be patches in the future to allow 
> snort to act as
> > a smart firewall and perhaps have its own set of rules but that
> > is well into the future. I forgot what the fancy name for this
> > kinda system is. 


I didn't want to leave the cat out the bag yet, but I thought I post
anyway to gather comments and suggestions.

I had written a couple of batch files some time ago that monitor the
snort log files and when intrusions are detected, it will
reconfigured Firewall-1 machines to block these intruders for
specified period of time. 

While looking through the snort source code, I got the idea of
rolling this into a plug-in. The idea is that, besides other outputs,
a blocking output can be specified, which will send a packet to a
daemon/service on a Firewall-1 management station, causing it to
block the intruder. The amount of time and one more variable will
have to added to the snort rule(s) (yes, this is a manual process).
Once the rule is triggered and it's a blocking rule, snort will send
a TwoFish encrypted message to one or more FW-1 management stations.
The management station will then cause this IP address to be blocked
via SAM for the defined amount of time on one or more Firewall-1
firewall modules. The daemon/service will include checking of the IP
address against a 'white list' of never to be blocked IP addresses,
and it will check threshold values. These threshold values will
determine if there is a spoofing attack going on, allowing an
automatic roll back (unblock) if exceeded. 

The idea is to keep concept scalable (dozens of sensors notifying one
or more FW-1 mgmt stations), secure (TwoFish encryption and sensor
authentication), and fast (I'm trying to keep the overhead on snort
at a minimum).


It looks to me that dropping connections on the firewall(s) is more
efficient than the RST in snort since a) no packets are sent back to
the intruder, and b) the intruder is actively turned off.

I'll post again once it's done (I hope in a couple of weeks).

Regards,
Frank


PS: Please don't start a thread about the risks of doing this. We had
this several times now. The risks are clear, but I believe the
benefits outweigh the risks.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOrult5ytSsEygtEFEQLKdACgleD++R7B/IVTyIJHpgDlT2kYmXIAn1V4
zAAdeTvZNOvU/ke6tJVcwq+R
=fFoO
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list