lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: frank at knobbe.us (Frank Knobbe)
Subject: IDS Signatures

On Thu, 2005-02-24 at 22:33 +0530, John Galt wrote:
> I am also in the process of implementing a NIDS in Linux, only I am
> attempting to make it proactive, more like an IPS. As far as your work
> is concerned, do take a look at snort. [...]
> With regard to my task of making the system proactive, can some one
> give some pointers to me? Right now i have configured ssh as rsh, so
> remote execution is a breeze. I am controlling all traffic through a
> firewall, so that when snort sees as attack (say critical attack), i
> can have a script constantly parse the logs and block the offending IP
> at the firewall.

John,

take a look at Snortsam (http://www.snortsam.net). Several years ago, I
had script, like you have now, running on Snort and a Checkpoint
firewall so that Snort could block there. That script was rewritten into
a C app so that it allowed extended functionality like white lists and a
sort of attack mitigation system. Also, running as a daemon has the
advantage that multiple Snort sensors can request a block on multiple
firewalls. I like to call it an Intrusion Response Network :)

Snortsam supports a variety of firewalls, making it attractive as a
single-shot comprehensive solution. You can configure it to block out
attackers or port scanner, but you can also configure it to
automatically isolate compromised hosts (stuff you would do by yourself,
except that Snortsam does it within a second, even at 4am Sunday
morning). For example, it can isolate a compromised DMZ server by
causing the DMZ firewall to block all outbound (and inbound) access
from/to that compromised box. Or it can block attackers from coming in.

There are a few solution that do that, but I think the distributed
nature of Snortsam makes it pretty attractive. You can detect an
attacker (say Nessus scan or so) in your London office and block him in
London, but also Tokyo, Frankfurt, New York, etc.

Check it out, it might suit your needs well. Feel free to email me if
you have questions.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050224/349e60ab/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ