OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank Knobbe (FKnobbeKnobbeITS.com)
Date: Wed Jan 09 2002 - 20:06:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > -----Original Message-----
    > From: Mike Hrubes [mailto:MHrubeswizmo.com]
    > Sent: Wednesday, January 09, 2002 11:30 AM
    >
    > I'm new to the IDS world. I understand what an IDS does, and why
    > you need it, but I have some questions on the technical aspect of
    > IDS. We are planning on implementing an IDS in the near future.
    > The idea that has been proposed is to put the IDS in the path
    > between connections, rather than connected in promiscuous mode.
    > The reason they want to do this is so they can also run a blocking
    > software, like portsentry, to block unwanted scans, etc.
    >
    > Is this even possible to do? The idea is to use a linux
    > server running
    > snort. This box would have two interfaces to route the
    > traffic through
    > it, scanning the signatures at the same time.
    >
    > Possible/not possible? If possible, good idea/bad idea? Opinions
    > in general?

    I'd say an interesting idea. Folks are already working on it. Search
    Snort archives/web site for Hogwash. I'm not sure at what point the
    'gateway IDS' actually becomes a 'content filter', but I'm looking
    forward to checking out Hogwash when it's available.

    The skinny (from what I understand): If Hogwash receives a packet, it
    runs it through its Snort detection engine. If the packet does not
    trigger a rules, it is passed on to the other interface. If it does
    trigger a rule, it is dropped.

    I think you are saying you want to block certain 'offenders' (like
    port scanners). You can do that today with Guardian (which lets Snort
    configure IPchains), or SnortSam (which lets Snort configure
    Checkpoint FW-1 [and soon Cisco PIX]). The later two will block every
    packet once a rule has been triggered. Hogwash works on a per packet
    basis.

    Regards,
    Frank

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.8
    Comment: PGP or S/MIME (X.509) encrypted email preferred.

    iQA/AwUBPDz3CszYtOFvgXQfEQK8OgCeJTY5/3s4J07B80VHmFKtsJJYRvsAoLEW
    ZhSE3Q5y/hC6+xWtWwzKTIiB
    =ZwLZ
    -----END PGP SIGNATURE-----