[Bro] Impact of going from IDS to IPS

James Lay jlay at slave-tothe-box.net
Fri Mar 7 10:14:27 PST 2014


On 2014-03-07 11:03, James Lay wrote:
> Gents,
>
> So after much work I've changed the IDS to IPS ONLY on the
> bpadslgateway for testing.  There are some pros and cons to this 
> setup,
> so here we go.
>
> Reference again that the way the linux firewall works is with an 
> INPUT
> and FORWARD table.  Packets destined FOR the linuxbox are the INPUT
> table, anything behind the firewall are FORWARD.  So, with this new
> method, we create a queue that says "send everything to snort first 
> to
> see if we drop or not, then continue on".  I created a test rule:
>
> drop tcp 71.39.117.84 any -> any 80 (msg:"Test 80"; sid:10000053;)
>
> Which just says drop anything coming from me to http.  The results:
>
> 10:23:56 bpadslgateway  [1:10000053:0] Test 80 {TCP} 
> 71.39.117.84:53922
> -> 63.224.241.69:80
>
> And I was blocked...woo hoo!  In order to implement this, the last 
> bit
> would be to change groups of alerts (betting all web server groups to
> start) from alerting to dropping.
>
> Now...the con of all this is that snort will now ONLY listen to 
> what's
> coming in and out of the FORWARD table...so that means we won't see 
> IDS
> alerts that actually hit the linuxbox, which, to be honest, isn't 
> that
> big of a deal considering nothing is open to the outside world..at 
> least
> on the DMZ node box.  I think we should take a look at what rulesets 
> we
> may want to drop.
>
> Also, we can...whitelist if we need to from specific hosts and
> netblocks if needed..so they'll get through regardless.  Very 
> exciting!
> I may give you gents a call around 5:30ish on the way to my in-laws 
> to
> discuss.  Thanks gents!
>

Argh...please disregard...fast typing yet again :(

James




More information about the Bro mailing list