From owner-freebsd-security Sat Sep 15 18:48: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 7456637B40C for ; Sat, 15 Sep 2001 18:48:01 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 71ABB2DDDF5; Sat, 15 Sep 2001 20:48:00 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f8G1lvw70246; Sat, 15 Sep 2001 20:47:57 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 15 Sep 2001 20:47:57 -0500 From: D J Hawkey Jr To: "Karsten W. Rohrbach" , Krzysztof Zaraska , security at FreeBSD Subject: Re: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010915204756.A70057@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20010915080246.A67204@sheol.localdomain> <20010916014742.F63605@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010916014742.F63605@mail.webmonster.de>; from karsten@rohrbach.de on Sun, Sep 16, 2001 at 01:47:42AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 16, at 01:47 AM, Karsten W. Rohrbach wrote: > > Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +0000: > > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > [...] > > > By way of further explanation, the cron'd script analyzes the read in > > > log entries for blocked source IPs that either hit on the box a smallish > > > number of times, each hit within a defined frequency (port scans and DOS > > > attempts), or hit on the box at all a larger number of times (for more > > > general idiocies). > > There's an add-on for snort, called Guardian that reads the alert log file > > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > > not sure if it supports ipf right now but should be easily hackable (it's > > a Perl script). > > > > Personally, I'd rather use snort than portsentry since this is a more > > flexible and powerful solution. And it can detect "stealth" port > > scans under FreeBSD (verified personally). Basing on your description I > > think it would suit your needs. See http://www.snort.org/ > > who else, besides me, would be interested in having a dynamic system for > blocking/ratelimiting based on ids or packetfilter output and the like? Well. I am, obviously. > i am not talking perl here, rather implementing a native p2p or client > server framework which does this, including crypted communications and > policy based remote firewall configuration (perhaps ipfilter as > proof-of-concept basis). it should run realtime (not cron or whatever > exec() based scheduler) as a native event handler. it should be modular > in design, to be able to add input and output handlers and to have a > good choice of logging/alerting features. FreeBSD already has dummynet for rate limiting, and two firewall techno- logies. The encryption stuff seems disjointed. That seems like another topic altogether. > i already got lots of ideas for it, but haven't gotten around to > implement something yet, and after a long time of being a quite passive > member of the *bsd community, this would be an interesting project i > would like to contribute design, ideas and code and more. My first post was a simple Q to see if all of portsentry's features were available on FreeBSD (the answer appears to be "No."). Krzysztof snipped off the last sentence of that post, where I thought about putting my script's logic into portsentry, or maybe even ipmon. What I currently have is a working proof-of-concept for what I want. I browsed the source to ipmon today, and there's ample room for me to hack at it. Yes, I need userland. > tell me if you are interested in developing such a thing from scratch, > together... I don't think this is necessary. It seems, to me anyway, redundant to existing technologies. Does any OS need three firewalls in its base? All I want is what I've got proven, but to move it into a daemon for something more realtime; I've got it down to 2 minute intervals via cron, but that's not frequent enough, and draws too many resources for what it does at that interval. Myself, I think I'll decline active participation in such a project. I've got a pretty well defined criteria, and it's small. With this, my needs will be met. I can daemonize it over a weekend. Besides, aren't you [basically] describing snort? > ...and include a short description of your skills, programming > languages and os platform you're on, if you like. P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX, Linux, and a little Solaris. X11R5/6. > /k Let me know how and where things go, though, Dave -- It took the computing power of three C-64s to fly to the Moon. It takes an 800Mhz P3 to run Windows XP. Something is wrong here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message