Date: Thu, 26 Feb 2004 11:35:37 -0500 (EST) From: Matthew George <mdg@secureworks.net> To: Dorin H <bj93542@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules Message-ID: <20040226112647.A28880@localhost> In-Reply-To: <20040226040210.25663.qmail@web12609.mail.yahoo.com> References: <20040226040210.25663.qmail@web12609.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Feb 2004, Dorin H wrote: > > Snort http plugin does "application-level" stream > analysis, AFAIK. Why you could not design a similar > plugin, or just some well written rules ? (just 2c)Use > snortsam to alert the firewall (FBSD ipf for example) > to block the traffic, and keep the fw free of stateful > traffic analysis as much as possible. For the sake of > performance. > BTW, does anyone know if snortsam work with ipfw? > /Dorin. > there were patches released some time ago that abstracted packet acquisition so that you could put snort inline via divert (or netfilter in linux), so you could block the first packet and not have to inject firewall rules. as far as the application-level stream analysis, what I was referring to was something that would be smart enough to detect, for example, services running on non-standard ports based on the application protocol they are using, then filter based on the appropriate rules for that service. You can write snort rules for specific ports, but it would be better to have an HTTP set that gets applied once it has been identified that HTTP is the protocol in question. The same can then be used to do p2p or any other application filtering. -- Matthew George SecureWorks Technical Operations 404.327.6339
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040226112647.A28880>