Re: [Snort-users] block connections in IPS

HI Geoff,

As far as I know I would say what a IPS is

IPS depends on the person who said it? Some people say it as IDS
functionality to firewall while some says it next generation IDS.
we can call the following as IPS , any device which has the capability of
detecting the attacks and preventing these detects to succeed in causing
damage.

- Inilne IDS : like snort_inline and hogwash, They sit inline
,takes each packet from the firewall ,process it against some signatures
and decides whether to drop or alert or accept the packet. Hogwash also
does the modification of the packet.

- Application based firewalls/IDS : These are nothing but layer 7
switches ,signature based. Placing them before firewall would help us
blocking attacks before they reach the firewall itself.

- And there are hybrid switches, honeyd etc.,
Coming to my query snort_inline uses snort engine. But I agree snort_inline
does not completely utilize all the snort preprocessors. So any point that
is applicable to snort may be applicable to snort_inline also.

Take a look at this comment,

" In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill the
HTTP connection using the RST and/or ICMPs. In most of the cases connection
is reset and sometimes it remains running and the file (dummy " cmd.exe"
placed on Apache web server) is successfully downloaded. The possible
explanation is that RST arrives too late for the connection to be reset
since the response from server comes earlier with the right sequence
number. The delayed RST is then discarded. Thus RST/ICMP is not a reliable
security mechanism (exactly as claimed in the snort documentation)." --
Anton Chuvakin, Ph.D.

So what could be the alternate way to effectively block the connections.

Regards,
Ravi.





At 10:41 PM 10/1/03 -0700, Geoff wrote:
>I don't think you are correct on what an IPS is. A normal IDS can preform
>flex-response (in snort land) which send s resets. Active response
>features like ICMP error codes and shunning (applying dynamic acl's to
>routered interfaces or firewalls) are also enployed by different IDS
>vendors. IPS's work in a different fashion.
>
>They sit inline with your connection (or they are just an IDS).
>
> |---------------|
>|---------| | | |-----------|
>| Border |<--->| IPS |<--->| Internal |
>| Router | | | | Router |
>|_________| |_______________| |___________|
>
>
>Their is nothing that says on IDS can not sit inline as well however an
>IPS can ONLY sit in line and IDS can do both and still function. The
>difference is how far the packet goes after detection.
>
>An IPS will drop the packet BEFORE it ever leaves the opposite interface
>from where it came in on.
>(X = Bad Packet)
>
>
> |----------------|
>|---------| X | X | |-----------|
>| Border |<--->| IPS |<--->| Internal |
>| Router | |(Packet Dropped)| | Router |
>|_________| |________________| |___________|
>
>
>Some vendors will also write and ACL on the IN and OUT interfaces of the
>IPS for the source/destination IP and PORT pairs and block all traffic for
>a certain time (90 sec).
>
>And IDS will send a reset of apply an acl but that is well after the
>packet has reached it destination.
>
>As far as false positives... that is a whole other email :)
>
>Geoff
>
>Ravi Kumar wrote:
>>Hi All,
>>IPS uses TCP Reset or ICMP to block connections. The drawback with this
>>approach could be unsuccessful ness in resetting the connection. Do IPS
>>have any other mechanism to block connections.
>>Snort_inline uses TCP reset and ICMP error messages.
>>The other approach currently followed by some products is to configure
>>policies automagically in the firewall to block particular connections.
>>This may lead to many false positives.
>>Is there any mechanism to reduce false positives and effectively block
>>connections.
>>Regards,
>>Ravi
>>
>>
>>
>>The Views Presented in this mail are completely mine. The company is not
>>responsible for what so ever.
>>----------
>>Ravi Kumar CH
>>Rendezvous On Chip (I) Pvt Ltd
>>Hyderabad, INDIA
>>ROC HOME PAGE:
>>http://www.roc.co.in
>>
>>
>>-------------------------------------------------------
>>This sf.net email is sponsored by:ThinkGeek
>>Welcome to geek heaven.
>>http://thinkgeek.com/sf
>>______________________________________________ _
>>Snort-users mailing list
>>Snort-users@lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/...fo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.p...st=snort-users
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/...fo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.p...st=snort-users

The Views Presented in this mail are completely mine. The company is not
responsible for what so ever.

----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA

ROC HOME PAGE:
http://www.roc.co.in




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users