Re: [Snort-users] SYN Proxy

Thanks all for your comments.
Now I have a clear vision for what to do and what to use.

Regards,
Xavier C.

Daniel Cid wrote:

> Your Linux box running snort in inline mode can't be considered a 
> firewall. By the default, snort-inline allows everything and only 
> block what it detects as "wrong". You BSD firewall should block 
> everything and only allow what is necessary on your network.
> It's two different devices doing different things. Do not expect your 
> IDS (snort inline is basically an IDS with a blocking response) to do 
> what
> your firewall should be doing.
>
> Daniel
>
> Xavier Cabrera wrote:
>
> > Hello:
> >
> > Thanks for all your answers. Wel i think too the best aproach for 
> > this is doing on iptables like Will say.. but if we really want a IPS 
> > with snort maybe we can start to think on that solution. Maybe people 
> > of sourcefire can plant this solution for future releases.
> >
> > If snort in future can handle the connections with syn proxy or 
> > (seudo syn proxy) validating the real one's before they can pass can 
> > start to think in the best IPS of the World
> >
> > Well, i have to continue with my two boxes.... Like Matt say... right 
> > now i have a Linux-Snorted behind a BSD.... and that is not 
> > elegant.... A firewall behind another one?
> >
> >
> > Regards
> >
> > Xavier Cabrera.
> >
> >
> > Will Metcalf wrote:
> >
> > > I could think of a way to do this, it probably wouldn't be very clean
> > > and would more than likely require an ip stack to be loaded on your
> > > inline box.
> > >
> > > This is really something that should be handled in netfilter rather
> > > than in snort-inline.  If packets make it to the queue and you have a
> > > lot of spoofed packets your DoS isn't going to be on the end host your
> > > trying to protect, it's going to be your inline box dealing with all
> > > the damn context switching between user space and kernel space.
> > >
> > > Regards,
> > >
> > > Will
> > >
> > > On 7/19/05, Matt Kettler <mkettler@evi-inc.com> wrote:
> > >  
> > >
> > > > Xavier Cabrera wrote:
> > > >  
> > > >
> > > > > Anyone know how snort can work like a Syn Proxy in inline mode?
> > > > >     
> > > >
> > > >
> > > > Not that I'm aware of.. Ultimately I think you'll have to do this 
> > > > in two stages,
> > > > something like this:
> > > >
> > > > PC -> syn proxy -> snort inline -> Internet
> > > >
> > > > You might be able to wrap it all up on the same box by using two 
> > > > interfaces and
> > > > have the proxy tool running on the inside interface, and then 
> > > > inline snort on
> > > > the outside.
> > > >
> > > >
> > > > Something like this:
> > > >
> > > > inside interface ->syn proxy -> OS routing -> snort inline -> 
> > > > outside interface
> > > >
> > > >
> > > >
> > > > but I'm not up-to-speed on all the syn proxy tools out there, or 
> > > > snort's current
> > > > inline support.
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > > > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > > > informative Webcasts and more! Get everything you need to get up to
> > > > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users@lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > >   
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users