Hello, I'm just working on a transparent IDS, with real-time blocking capabilities based on a set of attacks signatures.
To make it transparent I suggest a read on the Bridge HOWTOs. To make it possible the packet to go through the kernel firewall chains, turn bridge firewalling on in your kernel config. If an attack signature is detected after correspondent TCP connection was initiated on a production server, a TCP RST packet must be sent to the server with its IP source field equals to the IP of the attacker. After finished some lab tests, i intend to write a translator from Snort rules to a correspondent iptables rules. I've already made an almost real-time attacks blocking solution running on some ISPs here in Brazil. Although this is enough to protect against our newbies, it can be bypassed from the experienced attackers. Hope to walk beside (as in your signature :-) -- Antonio On Sat, Feb 23, 2002 at 03:00:42PM +0100, Darian Lanx wrote: > From: Darian Lanx <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: netfilter <[EMAIL PROTECTED]> > Subject: transparent IDS, is it possible? > Date: Sat, 23 Feb 2002 15:00:42 +0100 > > Hello Listers. > > I was wondering how to implement a somehwat transparent IDS, our planned > setup looks somewhat like this: > > > |uplink| > || || > |firewall|----|replicate of firewall| > \ / > \ / > |IDS | > |----| > Internal stuff here (ps those are routed IP, >production server etc) > > I was wonderin if it is possible to implment an IDS behind the > firewalls, that is completrely transparent to the traffic that passes > through it. Now, as for the TTL value of packets, I can increment those > values in the output with IPtables, therefore that is not a problem, are > there other things I will have to have a look at? > > What about bridging, would that be somewhat of a choice? Or, what about > fast forwarding between interfaces, as mentioned int he Linux Kernel > compile options, or do the packets not traverese the stack then? > > The IDS will have 3 interfaces. 1 Gigabit Interface and 2 100 Mbit > interfaces, 1 for the uplink, 1 for the admin net and 1 gibait linkt to > a cisco 3500 XL. > > I am grateful for _any_ ideas. Thank you! > > -- > Don't walk in front of me, I may not follow. > Don't walk behind me, I may not lead. > Just walk beside me and be my friend. > ~ Albert Camus ~ >
