Re: [Snort-users] Snort& Intrusion Prevention

At 09:10 AM 6/2/2004, Maetzky, Steffen (Extern) wrote:
>I'd like to compare some possabilities of using snort as IPS.
>I know the following plugins/ patches:
>
>Flexresp/ flexresp2, Snort-inline, Guardian, Snortsam
>
>I'd like to know if my understanding of them is right or not
>and if there are further advantages, disadvantages I have not listed and
>which depends directly to the architecture of one of the systems.
>
>My understanding of them is the following:
>
>1. Snort is getting in "Inline-Mode" (what does "Inline-Mode" mean?) if I
>use flexresp, flexresp2 or snort-inline which means that snort can block
>activly.



"in-line" means just that.. the snort box is in-line with your data flow,
much like a firewall box. It's got two ethernet interfaces, and data must
go through the snort box, and can't go around it.

Internet -------- inline-snort ------ your network

However, neither flexresp nor flexresp2 are inline type technologies, and
they operate VERY differently than inline-snort.

flexresp and flexresp 2 work by attempting to desynchronize and reset a TCP
connection, or use ICMP errors to attempt to report a fake error to one of
the systems.

Most of your understandings are a bit flawed, so here's something more
involved:

Flexresp/flexresp2 (or any other "spoofed packet" system)

Advantages:
snort is not in-line, making installation easy.
No additional software, just a compile of snort
--enable-flexresp
DoS via spoofed packets by attacker unlikely, scope
limited to killing one connection at best

Disadvantages:
reacts "after the fact" and attempts to kill traffic after
the rule was triggered (packet containing attack passes)
requires the snort box to send packets into the monitored
stream.. sniff-only tap impossible.
unreliable, desynch attempts may fail, cunning attackers
can make active attempts to evade it


inline-snort: (or any other "inline firewall IPS" type system that kills
single packets or single connections)

Advantages:
reliable. Can block the packet containing the attack.
kills only the attack packet
DoS via spoofed packets by attacker unlikely, scope
limited to killing one connection at best
Disadvantages:
requires in-line connection
linux/iptables specific (BSD variant in development??)
sniff-only tap impossible


Guardian, SnortSam (or any other reactive firewall-reconfig system that
blocks hosts for a set period of time)
Advantages:
Depending on configuration, the snort sensor can be done
with a sniff-only tap.
semi-reliable. Can block the source of attack, although
the attack itself will likely go through.
can block any follow-on attacks which might not be
detected by snort.
Works on a wide variety of firewalls
Can interface to a stand-alone firewall box or appliance.
Disadvantages
DoS via spoofed packets faking attacks from all over the
world possible, can be mitigated partly via whitelists.
reacts "after the fact" and attempts to kill traffic after
the rule was triggered (packet containing attack passes)






-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users