Menu
▾
▴
Re: [Snort-inline-users] simple rc.firewall
|
From: unor <uno...@ya...> - 2004-01-30 17:03:38
|
Yes. Here are the basic requirements I have set: Able to actively stop "malicious" traffic Rich ruleset Management via ssh Quickly deployable Inline, no routing (no network changes) Undecided on fail open or closed... I prefer to have a choice free Basic operation: Completely open Bridge_FW with Snort_inline making dicisions on what to drop. This is not being designed as a long term solution... more like an "If all else fails" backup to have on hand for temporary situations if they arise. A potential deployment scenario would be to have these running (or ready to go) at various choke points with an "empty ruleset" until the next "Insert_Malicious_Activity" happens. Quickly craft a rule (assuming it is possible) and deploy it to provide protection until (Insert_Vendor) updates a signature or whatever. I'm sure there are a million other ways to do this and I'm not by any means claiming to have a "New" or "Better" idea... The technology is free, runs on cheap hardware and it seems to work. I have not done any load testing (yet) and have heard that there is a performance hit with respect to the trip down to user space which is why I plan on starting out with a solution that is more of a single perpose temporary fix for when nothing else works. For now, I only have what Will suggested earlier... IPTABLES -A FORWARD -j QUEUE IPTABLES -A FORWARD -j ACCEPT I believe this is all I need for now because this is not meant to be a firewall... it's a purpose built IPS. I'll barrow some of the iptable stuff from rc.firewall (and learn more myself) to help lock down the management interface when I get there. I feel that snort_inline fits well. I have something working (more or less) but am open to input if you have suggestions. Thanks for participating. The sorceforge page looks great... Clean and to the point. I don't know C and hate HTML but I can script a bit and can write reasonably well provided a spell checker is available <grin>. Let me know if I can help. Earl Sammons --- Rob McMillen <rv...@ca...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is your intent to let all traffic flow via > snort_inline? Both outbound > and inbound? > > Rob > > On Fri, 23 Jan 2004, unor wrote: > > > I'm looking for a "simple" version of the infamous > > rc.firewall from the honeynet project. > > > > I want to do a bridged inline IPS with with > > snort_inline and therefore don't need the outbound > > blocking / rate limiting and other various parts > of > > the existing rc.firewall script. Is there > anything > > like this out there? > > > > I'm trying to hack up a version of rc.firewall > myself > > but... If I get it working I'll post it. > > > > Earl > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free web site building tool. > Try it! > > http://webhosting.yahoo.com/ps/sb/ > > > > > > > ------------------------------------------------------- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and > Integration > > See the breadth of Eclipse activity. February 3-5 > in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.76 > > iQA/AwUBQBGelvnAyY+9KLjdEQKedwCgvWx0ZOgZ3dgEyh+48f8yMtPEtiQAoP1b > skuc76JsfD/7DO36276ScqkC > =3BUx > -----END PGP SIGNATURE----- > > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and > Integration > See the breadth of Eclipse activity. February 3-5 in > Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
