From owner-freebsd-security@FreeBSD.ORG  Wed Feb 25 09:29:09 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 318CD16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 25 Feb 2004 09:29:09 -0800 (PST)
Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155])
	by mx1.FreeBSD.org (Postfix) with SMTP id ACAFD43D1F
	for <freebsd-security@freebsd.org>;
	Wed, 25 Feb 2004 09:29:08 -0800 (PST)
	(envelope-from mdg@secureworks.net)
Received: (qmail 45525 invoked from network); 25 Feb 2004 17:26:06 -0000
Received: from unknown (HELO HOST-192-168-8-243.internal.secureworks.net)
	(63.239.86.253)
	by mail.secureworks.net with SMTP; 25 Feb 2004 17:26:06 -0000
Date: Wed, 25 Feb 2004 12:29:07 -0500 (EST)
From: Matthew George <mdg@secureworks.net>
X-X-Sender: mdg@localhost
To: Borja Marcos <borjamar@sarenet.es>
In-Reply-To: <7BB83E65-677C-11D8-ABA5-000393C94468@sarenet.es>
Message-ID: <20040225122505.M28880@localhost>
References: <FE045D4D9F7AED4CBFF1B3B813C853370397699F@mail.sandvine.com>
	<7BB83E65-677C-11D8-ABA5-000393C94468@sarenet.es>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
cc: freebsd-security@freebsd.org
Subject: Re: improve ipfw rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2004 17:29:09 -0000

On Wed, 25 Feb 2004, Borja Marcos wrote:

> > It is my hope that someday someone will step in and implement a similar
> > system under FreeBSD. But i think it requires quite a lot of work and
> > possibly
> > major rebuilding of ipfw if it needs to be integrated (which would be
> > great)
>
> =09=BFPerhaps Snort with Flexresp? It should be able to close a connectio=
n
> upon detection of a signature.
>

The difference is that snort is still packet based.  You'd need to have
the concept of data stream analysis in order to really implement an
effective application layer protocol analysis engine.

--=20
Matthew George
SecureWorks Technical Operations
404.327.6339