Contributed by jose on from the active-defenses dept.
and blocks the 'attackers' with pf, is available now.
This way, you can turn your openbsd boxen easily
into an Intrusion Detection and Prevention System.
Features:
+ can unblock hosts after X seconds
+ small footprint
+ easy installation
New in this version:
+ idpsinfo(1) tool (displays a list of currently blocked hosts)
+ super cool install.sh script
+ performance improvements
Download: ftp://ftp.h07.org/pub/ssc/snort2pf-3.1.tar.gz "
(Comments are closed)
By Darian Lanx () on http://fink.sf.net/
-d
Comments
By djm () on
Personally, I don't think that reactively blocking hosts does any good anyway.
Comments
By Strog () on
I would tread lightly with this and wouldn't get very agressive at all. I've been manually blocking the boneheaded code red, buffer overflow, etc. idiots with a table in an external file. That works pretty good but I don't I'd do more than that without some intervention.
Comments
By petr () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
jesus,people.you realy want to choose,uat attacks to block and not blindly block every alert. i would like to see 'trivial' spoofing,where tcp is involved.ever tried that?to establish blind tcp connection with host on the internet and launch exploit? nonsence..
i do not like presence of ids on firewall either,but is nice to have such tool.better way would be second box with snort and modify pf table over ssh connection.
By Luiz Gustavo () on
By Anonymous Coward () on
Comments
By ssc () on
there will be a command line switch to decide between 'add block rule' and 'kill state entry' in v3.2, maybe.
i have to oversleep that, I guess.
Comments
By Clint () on
Killing the particular state entry may allow you to block the traffic that the snort sig alerts to, but still alow legit traffic from that source IP; lowering the risk of denial of service from spoofed packets.
Another cool feature would be to set a probability rating. Something to say "these snort sigs have xyz rating that the packet is actually malicious. anything over xyz%, kill state, otherwise just log"
By Anonymous Coward () on
By Anonymous Coward () on
How do you set this up for firewalls connected to the internet using DHCP?
Comments
By Anonymous Coward () on
By djm () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
"port 2000 __ 2004
means `all ports > 2000 and 2004', hence ports 1-1999 and 2005-65535."
Looks the same to me :P
Comments
By Anonymous Coward () on
port 2000 __ 2004
means `all ports > 2000 and 2004', hence ports 1-1999
and 2005-65535.
By Daren () on
By Anonymous Coward () on
Comments
By Dave Steinberg () dave@redterror.net on http://www.geekisp.com/
Comments
By Anonymous Coward () on
Comments
By Dave Steinberg () dave@redterror.net on http://www.geekisp.com/
By Anonymous Coward () on
thanks
Comments
By Anonymous Coward () on
http://unix-geek.info/codedocs/snort2pf.html
I should look at google before post :/
Comments
By ssc () on
http://bsd-security.org/~ssc/codedocs/snort2pf/
the information on unix-geek.info is outdated at the moment due to technical problems with the hosting company
By Anonymous Coward () on http://sourceforge.net/projects/hogwash/
http://sourceforge.net/projects/hogwash/