Alexandre DELAY wrote:
[ ...top-posting reformatted... ]
Don't you think that it would be a nice thing to be able to include such
"filters" from, for example, ethereal? Ethereal support more than 34k
different protocols. It woul be nice to be able to choose from those
filters and to apply some rules according to those filters.
You're talking about a reactive IDS. You can rig them up using scripts
which monitor logfiles, or something like /usr/ports/security/snort.
However, I prefer to use IDS for traffic I permit but want to monitor, not
traffic I already know I want to block.
Snort doesn't answer to such needs.
It is not able to analyze application protocols such as BEEP or Edonkey.
See: http://www.snort.org/docs/writing_rules/
filter application protocol based on ip/ports is not efficient. Some
application are able to work on almost any port.
Snort is a tool. It can be used to build an IDS and is well-suited for that
task, but it is not intended to entirely replace a firewall.
It is true that P2P application protocols are very adaptive and are able to
work via almost any port. However, they do not work through a properly
configured proxy using a "deny all" firewall in what is called a DMZ or
screened subnet firewall architecture.
If your network is set up for this correctly, internal machines on the LAN will
never be allowed to make external requests, at all (period); clients may even
run without a default route set and without the firewall having NAT enabled.
--
-Chuck
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
