[Snort-users] Hogwash for Windows

Scot Scot scotw at ...125...
Wed Jul 9 23:26:04 EDT 2003


> At 08:44 AM 7/9/2003 -0400, Joe Kinsella wrote:
> >Is there an equivalent of Hogwash for the Windows version of snort?  I
have
> >a good rule set for one of my servers and would like to drop offending
> >packets.
>
>From: "Matt Kettler"
>Sent: Wednesday, July 09, 2003 8:14 PM
>
> Given that windows itself does not have a built-in packet filter or
> firewall along the lines of what iptables is, windows can't do this
without
> commercial add-ons.
>
> The best you can do is to get snortsam to talk to checkpoint firewall-1,
> which is a commercial software firewall which runs on windows.
>
> This is similar to hogwash, but runs slightly-less realtime, and costs $
> for a copy of firewall-1. I'd also advise doing some searching for bugtraq
> posts on firewall-1 and compare it to the number about other firewalls
> prior to buying it. I'm not sure if it's better or not, but certainly
worth
> doing some minimal research prior to spending money on it.
>
> I'm also not sure quite how much FW-1 costs, but I've read it referred to
> as being a market leader, and a market leader in price as well.

Option 1:
Windows has a variety of packet filters. One may configure this using the
RRAS
(Routing and Remote Access) API's to tag offending IP's and block them,
although this requires some
MS programming knowledge it is "built-in" to the operating system. Also if
you are comfortable working with
NDIS intermediary drivers I am aware that there is a capability there also.

Option 2-3:
IPsec Filtering
ICF (Internet Connection Firewall) Available in WinXP & Win2003srv. (Note:
ICF provides statful inspection
although it is only on inbound traffic).

Option 4:
On a more practical note, take a look at the following sourceforge project:

PktFilter: http://sourceforge.net/projects/pktfilter/

Just my 2.0134 cents worth (tax included)
Scot Wiedenfeld






More information about the Snort-users mailing list