Date: Sun, 16 Sep 2001 01:47:42 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: D J Hawkey Jr <hawkeyd@visi.com>, security at FreeBSD <freebsd-security@FreeBSD.ORG> Subject: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010916014742.F63605@mail.webmonster.de> In-Reply-To: <Pine.BSF.4.21.0109151556550.386-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 15, 2001 at 04:16:26PM %2B0200 References: <20010915080246.A67204@sheol.localdomain> <Pine.BSF.4.21.0109151556550.386-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--7cm2iqirTL37Ot+N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +000= 0: > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: [...] > > By way of further explanation, the cron'd script analyzes the read in > > log entries for blocked source IPs that either hit on the box a smallish > > number of times, each hit within a defined frequency (port scans and DOS > > attempts), or hit on the box at all a larger number of times (for more > > general idiocies). > There's an add-on for snort, called Guardian that reads the alert log file > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > not sure if it supports ipf right now but should be easily hackable (it's > a Perl script).=20 >=20 > Personally, I'd rather use snort than portsentry since this is a more > flexible and powerful solution. And it can detect "stealth" port > scans under FreeBSD (verified personally). Basing on your description I > think it would suit your needs. See http://www.snort.org/ who else, besides me, would be interested in having a dynamic system for blocking/ratelimiting based on ids or packetfilter output and the like? i am not talking perl here, rather implementing a native p2p or client server framework which does this, including crypted communications and policy based remote firewall configuration (perhaps ipfilter as proof-of-concept basis). it should run realtime (not cron or whatever=20 exec() based scheduler) as a native event handler. it should be modular in design, to be able to add input and output handlers and to have a good choice of logging/alerting features. i already got lots of ideas for it, but haven't gotten around to=20 implement something yet, and after a long time of being a quite passive=20 member of the *bsd community, this would be an interesting project i=20 would like to contribute design, ideas and code and more. tell me if you are interested in developing such a thing from scratch, together, and include a short description of your skills, programming languages and os platform you're on, if you like. /k --=20 > Nuclear war can ruin your whole compile. --Karl Lehenbauer KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --7cm2iqirTL37Ot+N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7o+idM0BPTilkv0YRAnSzAJ4vB3Ch12rZrCO0NMLkBPWqfJwpQACdHHuI pNa1n+rErvIOo8R3tdU2Cwo= =t4ol -----END PGP SIGNATURE----- --7cm2iqirTL37Ot+N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010916014742.F63605>