mailing list archives
Re: IDS Signatures
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 24 Feb 2005 14:01:58 -0600
On Thu, 2005-02-24 at 22:33 +0530, John Galt wrote:
I am also in the process of implementing a NIDS in Linux, only I am
attempting to make it proactive, more like an IPS. As far as your work
is concerned, do take a look at snort. [...]
With regard to my task of making the system proactive, can some one
give some pointers to me? Right now i have configured ssh as rsh, so
remote execution is a breeze. I am controlling all traffic through a
firewall, so that when snort sees as attack (say critical attack), i
can have a script constantly parse the logs and block the offending IP
at the firewall.
take a look at Snortsam (http://www.snortsam.net). Several years ago, I
had script, like you have now, running on Snort and a Checkpoint
firewall so that Snort could block there. That script was rewritten into
a C app so that it allowed extended functionality like white lists and a
sort of attack mitigation system. Also, running as a daemon has the
advantage that multiple Snort sensors can request a block on multiple
firewalls. I like to call it an Intrusion Response Network :)
Snortsam supports a variety of firewalls, making it attractive as a
single-shot comprehensive solution. You can configure it to block out
attackers or port scanner, but you can also configure it to
automatically isolate compromised hosts (stuff you would do by yourself,
except that Snortsam does it within a second, even at 4am Sunday
morning). For example, it can isolate a compromised DMZ server by
causing the DMZ firewall to block all outbound (and inbound) access
from/to that compromised box. Or it can block attackers from coming in.
There are a few solution that do that, but I think the distributed
nature of Snortsam makes it pretty attractive. You can detect an
attacker (say Nessus scan or so) in your London office and block him in
London, but also Tokyo, Frankfurt, New York, etc.
Check it out, it might suit your needs well. Feel free to email me if
you have questions.
Description: This is a digitally signed message part
Full-Disclosure - We believe in it.