[Snort-users] fbidsmate and watchguard firebox

Matt Kettler mkettler at ...7367...
Thu Sep 4 14:27:04 EDT 2003


At 04:08 PM 9/4/2003 -0400, Hamilton, Robert wrote:

>Any way to directly call fbidsmate from snort alert rules?

Directly from snort there is no way to call *any* firewall tool.

Fundamentally out of the box snort is an IDS and only an IDS. It has no 
support for reconfiguring any firewalls of any sort. No support for 
IpTables, IPF, cisco, watchguard, or any other kind of firewall is present.

It does have a *very* limited ability to attempt to kill offensive 
connections using flexresp, but this doesn't reconfigure a firewall.. 
"react:block" just causes flexresp to generate some tcp reset packets or 
icmp unreachable messages. It is however not reliable when racing against 
an educated attacker (If the attacker knows flexresp is going to issue a 
reset in response to an attack, they can attempt to advance the sequence 
number before flexresp can respond. Flexresp is being improved to help 
avoid this, but it still fundamentally boils down to a race where flexresp 
has the speed advantage, but the attacker has the advantage of knowing when 
the race will start and can be prepared in advance. .)

It's only add-ons such as snortsam which extend firewall modification 
capability, bringing snort more into the realm of IPS type functionality 
than IDS functionality.

And really, this separation into different add-on tools allows snort to be 
as flexible as possible without becoming insanely bloated. Snort by itself 
focuses on being a good IDS, and projects like snortsam and inline-snort 
focus on firewall manipulation.











More information about the Snort-users mailing list