Date: Mon, 17 Sep 2001 16:39:40 +0400 From: ark@eltex.ru To: karsten@rohrbach.de Cc: defender-devel@listsrv.webmonster.de, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic Firewall/IDS System Message-ID: <200109171239.QAA26001@paranoid.eltex.ru>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Ok, some thoughts about event handling software.
First to say i am definitely against any "super-duper-dynamic-countermeasures".
No policy change should appear withount manual review and approval.
I am the persion that controls my firewall directly and there should be no
ways of indirect control.
It sounds extermely cool, i know, but it simply does not worth problems that
appear. I mean there are many known and even more unknown yet ways to cause
'false positive' and DoS vital or just important things for you and many ways
to obtain information bad guys need regardless of if such a system is installed.
There are some other things to do, though. A small network gets tens of
security-related events daily, the number for big one is thousands, which
is almost impossible to handle manually just reading logs. But we have to.
Requirements for tool that should be able to do the job are simple:
the thing should not be too complex. get offender's ip address, some mnemonic
event type as command line - and detailed info like log lines from stdin.
Do whois lookup then and record network owner and administrative contacts.
This is how we fill our database.
What can we do than? Retrieve useful information.
"authomatic mode": when event occurs, send an _informative_ notification to admin,
including:
all details for this event
last n similar or relevant events
last n events recorded for this host
last n events recorded for networks owned by the same organization
providing a good template for a message to abuse service
"manual mode": any kind of information retreival on demand.
Someone can even write a fancy (say, tk ;) GUI for that to update database,
keep track on abuse responces and tickets and to help you know if you
really did perform any actions on this or that incident or you just were too
lazy that day.
Anyone willing to implement? I'm afraid i am too busy now to write code for
that thing :(
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQCVAwUBO6XvC6H/mIJW9LeBAQHZuwP/TpqI7aoKz93/VyGg0X1g+fHf76pNqQgv
tUVKLauCG2L/kBt0ZtX9kLhxXi8ys1BEmUq7fpK71jxOpu0rHgTiEsRBuYRjNBvu
Xv4BpkjDR4Lv37D1rkcWqQd/RU9KrxBuEWM5GE1DGUTc08nHwX60skXqAun1g7dZ
wwoCVjaC8yc=
=fs5h
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109171239.QAA26001>