[Snort-users] fbidsmate and watchguard firebox

Jeff Nathan jeff at ...950...
Thu Sep 4 17:02:05 EDT 2003

Hash: SHA1

I forgot to add that SnortSam *ALSO* adds the functionality in question!

- -Jeff

On Thursday, September 4, 2003, at 03:41 PM, Jeff Nathan wrote:

> Hash: SHA1
> Matt,
> well stated.  I just wanted to clarify.
> On Thursday, September 4, 2003, at 02:24 PM, Matt Kettler wrote:
>> At 04:08 PM 9/4/2003 -0400, Hamilton, Robert wrote:
>>> Any way to directly call fbidsmate from snort alert rules?
>> Directly from snort there is no way to call *any* firewall tool.
>> Fundamentally out of the box snort is an IDS and only an IDS. It has 
>> no support for reconfiguring any firewalls of any sort. No support 
>> for IpTables, IPF, cisco, watchguard, or any other kind of firewall 
>> is present.
>> It does have a *very* limited ability to attempt to kill offensive 
>> connections using flexresp, but this doesn't reconfigure a firewall.. 
>> "react:block" just causes flexresp to generate some tcp reset packets 
>> or icmp unreachable messages. It is however not reliable when racing 
>> against an educated attacker (If the attacker knows flexresp is going 
>> to issue a reset in response to an attack, they can attempt to 
>> advance the sequence number before flexresp can respond. Flexresp is 
>> being improved to help avoid this, but it still fundamentally boils 
>> down to a race where flexresp has the speed advantage, but the 
>> attacker has the advantage of knowing when the race will start and 
>> can be prepared in advance. .)
> The react keyword implements HTTP (application layer) blocking by 
> returning HTTP data to the client browser.  The resp keyword performs 
> the active response that you're describing above.
> Flexresp2, released yesterday, uses a brute force approach for 
> desynchronizing TCP connections.  The biggest hinderance in this race 
> is TCP stream reassembly.  Essentially, TCP segments are coalesced 
> before the detection plugins even get them, making active response 
> really tough.
> While an attacker can try to advance their sequence numbers outside 
> the range used by flexresp2, they can't do this easily.  This sort of 
> attack would require some sort of event-based logic to track the state 
> of the connection used for the attack and would have to "cook" 
> ethernet frames and avoid the actual TCP/IP stack.
> Flexresp2 already does this :)  It makes a few assumptions on the rate 
> of ACK number consumption and attempts to send a TCP reset packet with 
> an ACK number that lands within the acceptable range of sequence 
> numbers.  By default it sends three of these to the receiving TCP.
>> It's only add-ons such as snortsam which extend firewall modification 
>> capability, bringing snort more into the realm of IPS type 
>> functionality than IDS functionality.
> Snort_inline provides the sort of functionality being requested. (as 
> you mention below).
>> And really, this separation into different add-on tools allows snort 
>> to be as flexible as possible without becoming insanely bloated. 
>> Snort by itself focuses on being a good IDS, and projects like 
>> snortsam and inline-snort focus on firewall manipulation.
> - -Jeff
> - --
> http://cerberus.sourcefire.com/~jeff       (gpg key available)
> "Great spirits have always encountered violent opposition from
> mediocre minds."   - Albert Einstein
> Version: GnuPG v1.2.2 (Darwin)
> iD8DBQE/V7+aEqr8+Gkj0/0RAu73AKCTcQGChrouiLNMW2wZzwlpu39EWgCgslmR
> eQlpDkzuoFxqtuonmdgy1Hw=
> =sqp6
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
"Great spirits have always encountered violent opposition from
mediocre minds."   - Albert Einstein

Version: GnuPG v1.2.2 (Darwin)


More information about the Snort-users mailing list