OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wiese, Sean P. (swiesestate.nd.us)
Date: Mon Oct 22 2001 - 17:01:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jeremy,

    Not to take anything away from Cisco and their 6500's but:

    You need to be very careful when blocking traffic based on a signature
    match. False positives, and other "false" traffic generating signature
    matches can do just as much damage as an exploit/DoS/etc....it's a fine line
    to walk when deciding to "dynamically" block traffic, without human
    intervention.

    If I am correct here, maybe Hogwash (http://hogwash.sourceforge.net/ ) can
    give you what you are looking for.
    <<snip from Hogwash:

    How is Hogwash different from XXX?
    Many of the existing projects actively defend the network by manipulating
    deny rules in ipchains, netfilter, or the like. If a signature is matched,
    or a condition is met, the IP is added to the deny list.
    This is bad because attackers will figure out what's going on really fast.
    Their next move is to spoof packets coming from yahoo.com, microsoft.com,
    your DNS server, etc. and break the network. Hogwash can drop only the
    suspect packets or it can modify the content in route to sanitize the
    packet.

    END SNIP>>

    Just my .02 worth...

    Sean

    ................................................
    .. sean.wiese
    .. security.analyst
    .. information.technology.division
    .. state.of.north.dakota
    .. email: swiesestate.nd.us
    ................................................

    -----Original Message-----
    From: Jeremy [mailto:prrthdmyrealbox.com]
    Sent: Monday, October 22, 2001 4:43 PM
    To: focus-idssecurityfocus.com
    Subject: Snort and Cisco Pix

    Hello all,

      We were looking at the new Cisco IDS card that goes into their 6500's and
    our cisco guy said that when it matches a signature it could update the pix
    access lists to block traffic from that ip. We are currently running several
    snort boxes and I was wondering if there was anything like that for snort.
    Also, is there anything in snort now other than flex-resp that takes an
    active role in stopping packets that match a certain signature?
      Sure would like to save our company $40K from having to buy 2 of those
    cisco ids cards.

    Thanks,
       Jeremy