RE: Snort and Cisco Pix

From: Frank Knobbe (FKnobbe@KnobbeITS.com)
Date: 10/23/01 

Message-ID: <32CD6FE22EAB444BB1D27C10949A0E7C14FDEB@server1.home.knobbeits.com>
From: Frank Knobbe <FKnobbe@KnobbeITS.com>
To: 'Kurt Seifried' <bugtraq@seifried.org>, focus-ids@securityfocus.com
Subject: RE: Snort and Cisco Pix
Date: Mon, 22 Oct 2001 22:19:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Kurt Seifried [mailto:bugtraq@seifried.org]
> Sent: Monday, October 22, 2001 5:08 PM
>
> Flex resp will do it. You could also use log monitoring
> software like swatch
> to take an action if a rule is matched, you could have it update
> the firewall list/etc. Personally I would reccomend extreme
> caution doing this,
> if someone spoofs an attack from a partner or client you
> suddenly firewall
> them, and the attacker has just executed a rather nice attack on
> your system. The logic needed to prevent this would be simple but
> a goodlist of
> sites you do not want to block would be fun to keep up to date
> (root nameservers, partners, popular websites the boss likes,
> etc.).

Kurt,

I fully agree with you. SnortSam does not only have white-list
support but also a threshold mechanism that can detect abnormal
levels of blocks so SnortSam can stay of the air until the attack
recedes. (And I recommend blocking for time intervals, never
permanently.)

The reason I was bringing SnortSam up is that I'm planning on adding
support for other firewalls, including reconfiguration of Cisco IOS
or PIX.

Regards,
Frank

PS: www.snortsam.net

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBO9ThwJytSsEygtEFEQKwdACeKuMtptuFLtNhHvrPEhiVkoxuMAcAn2kc
b1zQtAEuiBCjYZSZh+QViSGK
=2v5Z
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: [Full-Disclosure] IDS Signatures
    ... > firewall, so that when snort sees as attack, i ... take a look at Snortsam. ... had script, like you have now, running on Snort and a Checkpoint ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)
  • Re: Can I protect myself against network attacks?
    ... > I guess that was one purpose of the attack. ... > had happened if you just used the SP2 firewall which does not warn you ... back, I've seen the firewall crash before my eyes, without warning. ... network attacks, or trojans. ...
    (comp.security.firewalls)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... >>million doesn't change my action of deploying a firewall ONCE. ... They keys can be obtained ... > What I suspect is that you think a special attack will be developed ... the firewall helps protect us. ...
    (comp.os.linux.misc)