RE: Newbie IDS questions

From: Frank Knobbe (FKnobbe@KnobbeITS.com)
Date: 01/10/02 

From: Frank Knobbe <FKnobbe@KnobbeITS.com>
To: 'Mike Hrubes' <MHrubes@wizmo.com>, FOCUS-IDS@SECURITYFOCUS.COM
Date: Wed, 9 Jan 2002 20:06:02 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Mike Hrubes [mailto:MHrubes@wizmo.com]
> Sent: Wednesday, January 09, 2002 11:30 AM
>
> I'm new to the IDS world. I understand what an IDS does, and why
> you need it, but I have some questions on the technical aspect of
> IDS. We are planning on implementing an IDS in the near future.
> The idea that has been proposed is to put the IDS in the path
> between connections, rather than connected in promiscuous mode.
> The reason they want to do this is so they can also run a blocking
> software, like portsentry, to block unwanted scans, etc.
>
> Is this even possible to do? The idea is to use a linux
> server running
> snort. This box would have two interfaces to route the
> traffic through
> it, scanning the signatures at the same time.
>
> Possible/not possible? If possible, good idea/bad idea? Opinions
> in general?

I'd say an interesting idea. Folks are already working on it. Search
Snort archives/web site for Hogwash. I'm not sure at what point the
'gateway IDS' actually becomes a 'content filter', but I'm looking
forward to checking out Hogwash when it's available.

The skinny (from what I understand): If Hogwash receives a packet, it
runs it through its Snort detection engine. If the packet does not
trigger a rules, it is passed on to the other interface. If it does
trigger a rule, it is dropped.

I think you are saying you want to block certain 'offenders' (like
port scanners). You can do that today with Guardian (which lets Snort
configure IPchains), or SnortSam (which lets Snort configure
Checkpoint FW-1 [and soon Cisco PIX]). The later two will block every
packet once a rule has been triggered. Hogwash works on a per packet
basis.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPDz3CszYtOFvgXQfEQK8OgCeJTY5/3s4J07B80VHmFKtsJJYRvsAoLEW
ZhSE3Q5y/hC6+xWtWwzKTIiB
=ZwLZ
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • Re: Newbie IDS questions
    ... Since I am one of the authors of Hogwash I feel qualified to respond to this. ... Hogwash works in bridging mode forwarding or dropping packets based on snort ... generate an alert and log the packet each time as well. ... I understand what an IDS does, ...
    (Focus-IDS)
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
    (Focus-IDS)
  • RE: "Free" IDS
    ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
    (Focus-IDS)