Contributed by
Dengue
on
from the pig-by-the-tail dept.
ssc
writes :
"Here is a little perl-script that might -hopefully- be usefull to some of you.
It parses snort's alert file and blocks the "bad" hosts
for a specific amount of time using PF and anchors.
You can obtain it from
http://unix-geek.info/snort2pf.txt
.
There's a german mini-howto from the "OpenBSD Dokumentations Projekt" containing instructions for installing it together with snort.
http://unixscout.bay13.net/uscout/faq_snort2pf.html
I'd love to hear some comments / suggestions."
Reactive IDS systems can be quite controversal, and require careful configuration or you can wind up a victim of your own cleverness. Caveats aside, budding BOFH's should give this a try.
(Comments are closed)
Comments
By
Lurene () bitkitten at I hate spam ghettohackers dot n3t
on
mailto:bitkitten at I hate spam ghettohackers dot n3t
Yay for quick and easy denial of service attacks...
By
Anonymous Coward ()
on
In other words... Still, no deep packet inspection for PF.
Comments
By
tedu ()
on
in other words, the kernel shouldn't be peeking inside packets.
i can see it now...
# most websites are ok
pass out port 80 http content-type=text/html
# linux sucks
block out port 80 http site="kernel.org"
# no IE allowed on our network
block out port 80 http agent="IE/6.0"
# allow thumbnails, but no full blown pr0n
block outbh port 80 http content-type=image/jpeg name="jenna jameson" fuzziness 60k
Comments
By
Anonymous Coward ()
on
No, we will not stop before we have regex code in the kernel (supporting backreferences, they are neat to edit payload) and can load our snort rules into the packet filter.
Once that's been implemented, we'll notice some odd things, learn about TCP segmentation, and conclude that the whole scheme is mostly flawed. Then we'll import snort's TCP stream-assembly into the kernel, mostly duplicating the existing tcp_input functions. And finally, someone will benchmark the bloat and notice that it's only insignificantly faster than a userland implementation, but we'll not have much time to worry about that, as we're busy fixing the security bugs introduced with all the string handling code.
By
Anonymous Coward ()
on
Who said it needed to be kernel-space? Hey, the OpenBSD developers are the bigest propenents of privlidge seperation.
Has anyone tried this before http://www.snortsam.net I am thinking about useing it on a OpenBSD System.
Comments
By
ssc ()
on
mailto:ssc (at) unix-geek (dot) info
Last time I looked at it was in april,
short after the snort 1.9 bug got public.
SnortSam didn't play well with Snort 2.0 to that time, so I've written snort2pf.
I consider it to be "stable" now.
Troll throught the google cache of web server logs to build a complete list of all the world's proxies (including reverse proxies!).
Find out a portion of the InterWeb (that uses reactive filtering) you want to take down.
Attack with spoofed (reverse) proxy addresses.
Well, it's certainly more general but harder to use than the cisco IOS DoS.
BTW, is it a general rule that reactive IDS systems will unblock reactive filters upon receiving spoofs from either the IDS address space or from internal addresses? I seem to recall a certain problem with a popular commercial IDS system a few years back...
By Lurene () bitkitten at I hate spam ghettohackers dot n3t on mailto:bitkitten at I hate spam ghettohackers dot n3t
By Anonymous Coward () on
Comments
By tedu () on
i can see it now...
# most websites are ok
pass out port 80 http content-type=text/html
# linux sucks
block out port 80 http site="kernel.org"
# no IE allowed on our network
block out port 80 http agent="IE/6.0"
# allow thumbnails, but no full blown pr0n
block outbh port 80 http content-type=image/jpeg name="jenna jameson" fuzziness 60k
Comments
By Anonymous Coward () on
Once that's been implemented, we'll notice some odd things, learn about TCP segmentation, and conclude that the whole scheme is mostly flawed. Then we'll import snort's TCP stream-assembly into the kernel, mostly duplicating the existing tcp_input functions. And finally, someone will benchmark the bloat and notice that it's only insignificantly faster than a userland implementation, but we'll not have much time to worry about that, as we're busy fixing the security bugs introduced with all the string handling code.
By Anonymous Coward () on
By lepole () paulfriedrich@mac.com on mailto:paulfriedrich@mac.com
Comments
By ssc () on mailto:ssc (at) unix-geek (dot) info
short after the snort 1.9 bug got public.
SnortSam didn't play well with Snort 2.0 to that time, so I've written snort2pf.
I consider it to be "stable" now.
By Philip () pm@mp2.at on mailto:pm@mp2.at
greetings and thanks!
philip
Comments
By ssc () on mailto:ssc (at) unix-geek (dot) info
as mentioned in the section of snort2pf.
By ssc () on mailto:ssc (at) unix-geek (dot) info
as mentioned in the section of snort2pf.
By Renteria () reneria@certmx.org on http://www.certmx.org
i need down...
Tkz
Comments
By Renteria () renteria@certmx.org on http://www.certmx.org
By Anonymous Coward () on
Find out a portion of the InterWeb (that uses reactive filtering) you want to take down.
Attack with spoofed (reverse) proxy addresses.
Well, it's certainly more general but harder to use than the cisco IOS DoS.
BTW, is it a general rule that reactive IDS systems will unblock reactive filters upon receiving spoofs from either the IDS address space or from internal addresses? I seem to recall a certain problem with a popular commercial IDS system a few years back...