RE: Gateway IDS
From: Ian Peters (ian@ianpeters.net)Date: 06/26/02
- Previous message: David W. Goodrum: "NFR Response: Concerns with NFR"
- In reply to: Fatfinger: "Re: Gateway IDS"
- Next in thread: Joe Klein: "Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ian Peters" <ian@ianpeters.net> To: <focus-ids@securityfocus.com> Date: Wed, 26 Jun 2002 09:13:45 +0100
Hi All,
/start of gratuitous plug
Although not yet ready - I have written a program to do this as my
final-year degree project. Specifically, it sits on a linux machine on a
gateway, and can make routing/filtering decisions based on traditional
header value rules (i.e. IP addresses, flags etc), and also on the results
of any other user-definable tests. The key one of these is IDS-style
pattern/signature matching. Additional tests will be added, such as
statistical IDS, and already working are user-definable counters, which you
can perform arithmetic operators (+-/*) and logical tests(==,!=,<,>,<=,>=)
on.
Outputs include the normal network outputs (drop, reject, forward), NAT,
logging (binary/text file, syslog, SMB, IDXP/IDMEF), and packet mangling.
Packet mangling involves modifying packets as they pass through, for example
if an exploit is noted by the IDS, rather than dropping the packet you may
wish to just break the expolit, for example by setting all the packet
payload contents to NULL.
Input is through libpcap, or libipq (or both).
All this is configurable through a remote or local policy file, in XML,
which also understands snort rules. Tests, Outputs, and protocol support are
all provided by runtime-loaded plugins (aka shared-libraries).
This system isn't yet complete due to mechanical hardware difficulties,
namely that of the head of my hard-drive deciding to meet the platter of my
hard-drive! I hope to release an alpha version within the next 2-3 months
however. I have set-up a project on source-forge, unix-name 'rubicon'.
For more information (in the form of some documentation, and my project
final and interim reports), have a look at:
www.ianpeters.net/page.php?p=project
Hope this is of interest. Please drop me a line if anyone wants more info,
or even fancies helping on the system.
/end of gratuitous plug
----- Original Message -----
From: "Jochen Vogel" <jvogel@it-sec.de>
To: <focus-ids@securityfocus.com>
Sent: Monday, June 24, 2002 5:14 AM
Subject: Gateway IDS
> hi,
>
> since last year i search a working gateway IDS solution.
> i search a solution that work like a firewall but additionally
> can block packets after an correlation with IDS signatures.
> the solution to send RST packets or reconfigure a firewall
> is nice but not really about latency or spoofing packets.
>
> greets
> Jochen
>
- Previous message: David W. Goodrum: "NFR Response: Concerns with NFR"
- In reply to: Fatfinger: "Re: Gateway IDS"
- Next in thread: Joe Klein: "Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
