Date: Sat, 15 Sep 2001 20:47:57 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: "Karsten W. Rohrbach" <karsten@rohrbach.de>, Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>, security at FreeBSD <freebsd-security@FreeBSD.ORG> Subject: Re: Dynamic Firewall/IDS System, Was: portsentry's stealth mode - works under fBSD with ipf? Message-ID: <20010915204756.A70057@sheol.localdomain> In-Reply-To: <20010916014742.F63605@mail.webmonster.de>; from karsten@rohrbach.de on Sun, Sep 16, 2001 at 01:47:42AM %2B0200 References: <20010915080246.A67204@sheol.localdomain> <Pine.BSF.4.21.0109151556550.386-100000@lhotse.zaraska.dhs.org> <20010916014742.F63605@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 16, at 01:47 AM, Karsten W. Rohrbach wrote: > > Krzysztof Zaraska(kzaraska@student.uci.agh.edu.pl)@2001.09.15 16:16:26 +0000: > > On Sat, 15 Sep 2001, D J Hawkey Jr wrote: > [...] > > > By way of further explanation, the cron'd script analyzes the read in > > > log entries for blocked source IPs that either hit on the box a smallish > > > number of times, each hit within a defined frequency (port scans and DOS > > > attempts), or hit on the box at all a larger number of times (for more > > > general idiocies). > > There's an add-on for snort, called Guardian that reads the alert log file > > in tail -f style (every 1 second IIRC) and updates firewall ruleset. I'm > > not sure if it supports ipf right now but should be easily hackable (it's > > a Perl script). > > > > Personally, I'd rather use snort than portsentry since this is a more > > flexible and powerful solution. And it can detect "stealth" port > > scans under FreeBSD (verified personally). Basing on your description I > > think it would suit your needs. See http://www.snort.org/ > > who else, besides me, would be interested in having a dynamic system for > blocking/ratelimiting based on ids or packetfilter output and the like? Well. I am, obviously. > i am not talking perl here, rather implementing a native p2p or client > server framework which does this, including crypted communications and > policy based remote firewall configuration (perhaps ipfilter as > proof-of-concept basis). it should run realtime (not cron or whatever > exec() based scheduler) as a native event handler. it should be modular > in design, to be able to add input and output handlers and to have a > good choice of logging/alerting features. FreeBSD already has dummynet for rate limiting, and two firewall techno- logies. The encryption stuff seems disjointed. That seems like another topic altogether. > i already got lots of ideas for it, but haven't gotten around to > implement something yet, and after a long time of being a quite passive > member of the *bsd community, this would be an interesting project i > would like to contribute design, ideas and code and more. My first post was a simple Q to see if all of portsentry's features were available on FreeBSD (the answer appears to be "No."). Krzysztof snipped off the last sentence of that post, where I thought about putting my script's logic into portsentry, or maybe even ipmon. What I currently have is a working proof-of-concept for what I want. I browsed the source to ipmon today, and there's ample room for me to hack at it. Yes, I need userland. > tell me if you are interested in developing such a thing from scratch, > together... I don't think this is necessary. It seems, to me anyway, redundant to existing technologies. Does any OS need three firewalls in its base? All I want is what I've got proven, but to move it into a daemon for something more realtime; I've got it down to 2 minute intervals via cron, but that's not frequent enough, and draws too many resources for what it does at that interval. Myself, I think I'll decline active participation in such a project. I've got a pretty well defined criteria, and it's small. With this, my needs will be met. I can daemonize it over a weekend. Besides, aren't you [basically] describing snort? > ...and include a short description of your skills, programming > languages and os platform you're on, if you like. P/A and Systems Admin by profession. C, shell, awk, sed, m4. FreeBSD, QNX, Linux, and a little Solaris. X11R5/6. > /k Let me know how and where things go, though, Dave -- It took the computing power of three C-64s to fly to the Moon. It takes an 800Mhz P3 to run Windows XP. Something is wrong here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010915204756.A70057>