[Snort-users] Dropping Connections

Martin Roesch roesch at ...421...
Mon Mar 26 20:00:10 EST 2001


Just a hint: if you're going to do this, have something so you can setup
netblocks that aren't allowed to be blocked...

    -Marty

Frank Knobbe wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > > -----Original Message-----
> > > From: Chris Green [mailto:cmg at ...671...]
> > > Sent: Friday, March 23, 2001 1:21 PM
> > >
> > > I believe There will be patches in the future to allow
> > snort to act as
> > > a smart firewall and perhaps have its own set of rules but that
> > > is well into the future. I forgot what the fancy name for this
> > > kinda system is.
> 
> I didn't want to leave the cat out the bag yet, but I thought I post
> anyway to gather comments and suggestions.
> 
> I had written a couple of batch files some time ago that monitor the
> snort log files and when intrusions are detected, it will
> reconfigured Firewall-1 machines to block these intruders for
> specified period of time.
> 
> While looking through the snort source code, I got the idea of
> rolling this into a plug-in. The idea is that, besides other outputs,
> a blocking output can be specified, which will send a packet to a
> daemon/service on a Firewall-1 management station, causing it to
> block the intruder. The amount of time and one more variable will
> have to added to the snort rule(s) (yes, this is a manual process).
> Once the rule is triggered and it's a blocking rule, snort will send
> a TwoFish encrypted message to one or more FW-1 management stations.
> The management station will then cause this IP address to be blocked
> via SAM for the defined amount of time on one or more Firewall-1
> firewall modules. The daemon/service will include checking of the IP
> address against a 'white list' of never to be blocked IP addresses,
> and it will check threshold values. These threshold values will
> determine if there is a spoofing attack going on, allowing an
> automatic roll back (unblock) if exceeded.
> 
> The idea is to keep concept scalable (dozens of sensors notifying one
> or more FW-1 mgmt stations), secure (TwoFish encryption and sensor
> authentication), and fast (I'm trying to keep the overhead on snort
> at a minimum).
> 
> It looks to me that dropping connections on the firewall(s) is more
> efficient than the RST in snort since a) no packets are sent back to
> the intruder, and b) the intruder is actively turned off.
> 
> I'll post again once it's done (I hope in a couple of weeks).
> 
> Regards,
> Frank
> 
> PS: Please don't start a thread about the risks of doing this. We had
> this several times now. The risks are clear, but I believe the
> benefits outweigh the risks.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME encrypted email preferred.
> 
> iQA/AwUBOrult5ytSsEygtEFEQLKdACgleD++R7B/IVTyIJHpgDlT2kYmXIAn1V4
> zAAdeTvZNOvU/ke6tJVcwq+R
> =fFoO
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list