Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] IDS Signatures

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] IDS Signatures
Date: Thu, 24 Feb 2005 14:01:58 -0600 
On Thu, 2005-02-24 at 22:33 +0530, John Galt wrote:

I am also in the process of implementing a NIDS in Linux, only I am
attempting to make it proactive, more like an IPS. As far as your work
is concerned, do take a look at snort. [...]
With regard to my task of making the system proactive, can some one
give some pointers to me? Right now i have configured ssh as rsh, so
remote execution is a breeze. I am controlling all traffic through a
firewall, so that when snort sees as attack (say critical attack), i
can have a script constantly parse the logs and block the offending IP
at the firewall.


John,

take a look at Snortsam (http://www.snortsam.net). Several years ago, I
had script, like you have now, running on Snort and a Checkpoint
firewall so that Snort could block there. That script was rewritten into
a C app so that it allowed extended functionality like white lists and a
sort of attack mitigation system. Also, running as a daemon has the
advantage that multiple Snort sensors can request a block on multiple
firewalls. I like to call it an Intrusion Response Network :)

Snortsam supports a variety of firewalls, making it attractive as a
single-shot comprehensive solution. You can configure it to block out
attackers or port scanner, but you can also configure it to
automatically isolate compromised hosts (stuff you would do by yourself,
except that Snortsam does it within a second, even at 4am Sunday
morning). For example, it can isolate a compromised DMZ server by
causing the DMZ firewall to block all outbound (and inbound) access
from/to that compromised box. Or it can block attackers from coming in.

There are a few solution that do that, but I think the distributed
nature of Snortsam makes it pretty attractive. You can detect an
attacker (say Nessus scan or so) in your London office and block him in
London, but also Tokyo, Frankfurt, New York, etc.

Check it out, it might suit your needs well. Feel free to email me if
you have questions.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Exploiting apache, devis
Next by Date:  [Full-Disclosure] MDKSA-2005:047 - Updated squid packages fix vulnerability, Mandrakelinux Security Team
Previous by Thread:  Re: [Full-Disclosure] IDS Signatures, John Galt
Next by Thread:  RE: [Full-Disclosure] IDS Signatures, Michael Scheidell
Indexes:  [Date] [Thread] [Top] [All Lists]