Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 04:42:05PM +0200, Lucio wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (..) Project Descriptive Name: Astu mdids Project UNIX Name: astu Project Description: Multiplatform distributed intrusion detection system You are aware, of course, that you are re-inventing Prelude [1] right? (and that is only one of the distributed IDS systems currently available with a GPL license) Friendly, Javi [1] http://prelude-ids.org pgp0.pgp Description: PGP signature
Re: OT: An Idea for an IDS
All, Thanks for the great response to this thread. I knew (at the time I posted) such tactic (if not properly implemented/configured) could lead to a denial of service attack, but I appreciate those who took the time to point that out for everyone. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import Please send spam to [EMAIL PROTECTED] (added for email-address searching bots) Do not send mail to the above address. -- Excuse #61: Nesting roaches shorted out the ether cable -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 04:42:05PM +0200, Lucio wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (..) Project Descriptive Name: Astu mdids Project UNIX Name: astu Project Description: Multiplatform distributed intrusion detection system You are aware, of course, that you are re-inventing Prelude [1] right? (and that is only one of the distributed IDS systems currently available with a GPL license) Friendly, Javi [1] http://prelude-ids.org pgpPAQv7Hq6tc.pgp Description: PGP signature
Re: OT: An Idea for an IDS
All, Thanks for the great response to this thread. I knew (at the time I posted) such tactic (if not properly implemented/configured) could lead to a denial of service attack, but I appreciate those who took the time to point that out for everyone. -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import Please send spam to [EMAIL PROTECTED] (added for email-address searching bots) Do not send mail to the above address. -- Excuse #61: Nesting roaches shorted out the ether cable
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 06:39:51PM +0200, Thomas Ritter wrote: If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. That's one of the key issues. Many attacks come from dial up blocks so blocking is only useful if done immediately and then removed after a short while. Otherwise you could soon end up with all of your local ISP's addresss space blocked out and find yourself unable to connect via your own DSL or Cablemodem :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 06:39:51PM +0200, Thomas Ritter wrote: If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. That's one of the key issues. Many attacks come from dial up blocks so blocking is only useful if done immediately and then removed after a short while. Otherwise you could soon end up with all of your local ISP's addresss space blocked out and find yourself unable to connect via your own DSL or Cablemodem :-)
Re: OT: An Idea for an IDS
On Tue, 01 Jul 2003 at 15:13:00 -0400, Matt Zimmerman wrote: On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote: On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. Which ones are important? For example, one could forge packets from Everyone must decide it for himself :-) . millions of random IP addresses, popular web sites, etc. and easily DoS such a system. Sure, I am aware of cons of similar technique and I know that it's _very_ far from perfectness. I wrote the previous message only because someone wondered about creating similar utility, so I pointed to one of already existing one :-) . -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Hi, There is an Intrusion Detection System(IDS) named Snort (http://www.snort.org) There you can log to syslog, database, tcpdump-file,... And there are some Preprozessors which can block 'bad' Traffic. Snort can do much more. Read the FAQ http://www.snort.org/docs/FAQ.txt Thomas Bechtold On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Check out psad, which is similar to what you want (and I use it)... You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad. --jordan On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... This is not necessarily a serious problem. In case of using Snort as an IDS you can make it send alerts only for established TCP sessions. You are right when you assume that a single IP packet with a spoofed source address makes your system go nuts. However running snort with options -z est does exactly this. It's very hard (if not hardly possible) to spoof established TCP sessions. I was already thinking about packaging guardian which creates iptables/ipchains rules for every established connection which looks dangerous. Unfortunately the quality of the upstream package is currently 'garbage'. In addition any script doing such dynamic blocking of other hosts should be able to know which network is friend and which is foe. :) Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Tanger said: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... I think that if you implement some good whitelists, the problem does not exist. There's a plugin (or something like this) in snort that works in a similar way. I don't know if someone is interested, but i started a new project of a mdids on Sourceforge. I post the project proposal to Sourceforge: Project Descriptive Name: Astu mdids Project UNIX Name: astu Project Description: Multiplatform distributed intrusion detection system Registration Description: The project should be a distributed intrusion detection system. It should be composed by a central server which communicates securely with satellites on the perimeter of the lan. The central server shuold admin all the sensors (changing dinamically firewall rules) and receive all the alerts, and manage them by filtering and sending them by mail, sms, or print. The server itself is managed by a web interface. The perimetral sensors should be firstly based on snort engine, but the goal of the project is to provide a fully centralized system which can operate with various oss and technologies (firewalls, etc.). It shuold be interesting to develop Windows sensors, which few idss implement, but important in a real mutiplatform lan. License: GNU General Public License (GPL) The project has been approved, and i have found lots of people interested in it. We're going start it in the next few weeks... If you're interested please reply me. I'm a debian user, so it would be nice to develop it for deb. Bye PS: please forgive me if I am too OT - -- Lucius in fabula - --www.lucius.it-- Open PGPKey: www.lucius.it/lucius.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBPwGdvRPJoalLltY2AQL21Qf/Ux0UNyt/VC/kAO8UFSWQYGPffHTUVBu2 aKsc1CIl3Cp/UStwyreCe5mJor5+xp66Ap1pih3EXxJssfC/jXOszw9GCmuf3L+3 EuQOFwtpXK1OSwHNYyJSSb2+3+HvtTZRjvEpRXtRnGEVvNnVRI07pbFme/8Bt7z7 v8CBXtZngQJY62DCKpsLX/65FUuiQBpV1q5yauj2hBWWO7TMMD/mn3XTsUgpsRLM g35WrADSnsSim47pz8qIeGpJWJOmJAMGhT1kNJhabV+vJuN51Z3CnO2p+P4WKkEG /20pyhBN7X9oDprV1aPKwRuWQKrcLrHl1+rTjTorHDFYLiQZM996wQ== =j0YF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. HTH -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. Unless you only apply this kind of rule based on traffic which implies a negotiation. If _there is_ a negotiation between the client and the server (they exchange SYN, ACKs and so on), then you do know that the source IP is one of: a) The real client. b) Another computer in their same LAN sniffing the traffic and generating the appropiate responses, ala Man In The Middle, in which case, hey you lost service because another computer in your network was bugging me and I cut your traffic. -- OR -- c) Someone in _your own LAN_ trying to fuck you, but not, wait, that can't happen because then they would come from a different network interface and so you'd know the IP has been forged (you cannot have a petition from 213.96.93.221 coming from your internal interface, as you cannot have one from 192.168.1.1 coming from the external one). If I'm wrong, please tell me Regards The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Look snort 2.0.0 [1] It's an Intrusion Detection System. Theres an Preprozessor for Snort called 'Guardian'[2] to do things like you want. But read the other answers in this thread carefully! Thomas Bechtold [1] http://snort.org [2] http://www.chaotic.org/guardian/ On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
A daemon sits running in the background listening to a special device Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Abacus Portsentry binds itself to ports and detects IP/UDP Scans and Hostsentry looks over login activity and issues countermesaures. Both can issue a wide range of (actually customizable) firewalling rules. I've been running portsentry for some years now and can say, you definitely have to exclude some hosts (which is configurable), lowering the security effect. Hostsentry isn't too far developed, but both come in handy together with Abacus Logcheck. Portsentry and Logcheck are in sid, but (surely because of the experimental state of it) Hostsentry isn't. Also I have not seen progress with it during the last years, staying version 0.2... If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. Portsentry for example writes entries to /etc/hosts,deny, which you'll have to clean out for yourself. This is ugly. But, with 2-3 XML Parsers for config files defining patterns, actions and rules (pattern-action), you could build a rather easy to maintain threat reaction system in Perl with little effort. If you're interested in building one, I am... Greetings, -- Thomas Ritter Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety. - Benjamin Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
At 22:39 on Jun 30, Matt Zimmerman shook the earth with: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. You can combat some of this with a simple list of IP addresses/hostnames/networks that should never under any circumstances be blocked. Another problem seems to be that script kiddies aren't always doing recon before they do an attack, it seems to be fairly common lately to just run a series of scripted attacks against a range of IPs (so if you are vulnerable, you could be exploited at the same time the IDS detects the attack, if it is detected). Just need to be sure that your IDS and signatures/detection scheme is up to date, and also possibly use a TCP reset when you do the block. SnortSam does something just like this for commercial products and also IPtables (among other packet filtering schemes), they do include the ability to timeout a block and to whitelist IPs. http://www.snortsam.net -nicole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote: On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. Which ones are important? For example, one could forge packets from millions of random IP addresses, popular web sites, etc. and easily DoS such a system. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger --
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. -- - mdz
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg
Re: OT: An Idea for an IDS
Check out psad, which is similar to what you want (and I use it)... You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad. --jordan On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... This is not necessarily a serious problem. In case of using Snort as an IDS you can make it send alerts only for established TCP sessions. You are right when you assume that a single IP packet with a spoofed source address makes your system go nuts. However running snort with options -z est does exactly this. It's very hard (if not hardly possible) to spoof established TCP sessions. I was already thinking about packaging guardian which creates iptables/ipchains rules for every established connection which looks dangerous. Unfortunately the quality of the upstream package is currently 'garbage'. In addition any script doing such dynamic blocking of other hosts should be able to know which network is friend and which is foe. :) Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. HTH -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: OT: An Idea for an IDS
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. Unless you only apply this kind of rule based on traffic which implies a negotiation. If _there is_ a negotiation between the client and the server (they exchange SYN, ACKs and so on), then you do know that the source IP is one of: a) The real client. b) Another computer in their same LAN sniffing the traffic and generating the appropiate responses, ala Man In The Middle, in which case, hey you lost service because another computer in your network was bugging me and I cut your traffic. -- OR -- c) Someone in _your own LAN_ trying to fuck you, but not, wait, that can't happen because then they would come from a different network interface and so you'd know the IP has been forged (you cannot have a petition from 213.96.93.221 coming from your internal interface, as you cannot have one from 192.168.1.1 coming from the external one). If I'm wrong, please tell me Regards The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: OT: An Idea for an IDS
Look snort 2.0.0 [1] It's an Intrusion Detection System. Theres an Preprozessor for Snort called 'Guardian'[2] to do things like you want. But read the other answers in this thread carefully! Thomas Bechtold [1] http://snort.org [2] http://www.chaotic.org/guardian/ On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered.
Re: OT: An Idea for an IDS
A daemon sits running in the background listening to a special device Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Abacus Portsentry binds itself to ports and detects IP/UDP Scans and Hostsentry looks over login activity and issues countermesaures. Both can issue a wide range of (actually customizable) firewalling rules. I've been running portsentry for some years now and can say, you definitely have to exclude some hosts (which is configurable), lowering the security effect. Hostsentry isn't too far developed, but both come in handy together with Abacus Logcheck. Portsentry and Logcheck are in sid, but (surely because of the experimental state of it) Hostsentry isn't. Also I have not seen progress with it during the last years, staying version 0.2... If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. Portsentry for example writes entries to /etc/hosts,deny, which you'll have to clean out for yourself. This is ugly. But, with 2-3 XML Parsers for config files defining patterns, actions and rules (pattern-action), you could build a rather easy to maintain threat reaction system in Perl with little effort. If you're interested in building one, I am... Greetings, -- Thomas Ritter Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety. - Benjamin Franklin
Re: OT: An Idea for an IDS
At 22:39 on Jun 30, Matt Zimmerman shook the earth with: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. You can combat some of this with a simple list of IP addresses/hostnames/networks that should never under any circumstances be blocked. Another problem seems to be that script kiddies aren't always doing recon before they do an attack, it seems to be fairly common lately to just run a series of scripted attacks against a range of IPs (so if you are vulnerable, you could be exploited at the same time the IDS detects the attack, if it is detected). Just need to be sure that your IDS and signatures/detection scheme is up to date, and also possibly use a TCP reset when you do the block. SnortSam does something just like this for commercial products and also IPtables (among other packet filtering schemes), they do include the ability to timeout a block and to whitelist IPs. http://www.snortsam.net -nicole
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote: On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. Which ones are important? For example, one could forge packets from millions of random IP addresses, popular web sites, etc. and easily DoS such a system. -- - mdz
OT: An Idea for an IDS
Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT: An Idea for an IDS
Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered.