[Bro] Impact of going from IDS to IPS

James Lay jlay at slave-tothe-box.net
Fri Mar 7 10:14:27 PST 2014

On 2014-03-07 11:03, James Lay wrote:
> Gents,
> So after much work I've changed the IDS to IPS ONLY on the
> bpadslgateway for testing.  There are some pros and cons to this 
> setup,
> so here we go.
> Reference again that the way the linux firewall works is with an 
> and FORWARD table.  Packets destined FOR the linuxbox are the INPUT
> table, anything behind the firewall are FORWARD.  So, with this new
> method, we create a queue that says "send everything to snort first 
> to
> see if we drop or not, then continue on".  I created a test rule:
> drop tcp any -> any 80 (msg:"Test 80"; sid:10000053;)
> Which just says drop anything coming from me to http.  The results:
> 10:23:56 bpadslgateway  [1:10000053:0] Test 80 {TCP} 
> ->
> And I was blocked...woo hoo!  In order to implement this, the last 
> bit
> would be to change groups of alerts (betting all web server groups to
> start) from alerting to dropping.
> Now...the con of all this is that snort will now ONLY listen to 
> what's
> coming in and out of the FORWARD table...so that means we won't see 
> alerts that actually hit the linuxbox, which, to be honest, isn't 
> that
> big of a deal considering nothing is open to the outside world..at 
> least
> on the DMZ node box.  I think we should take a look at what rulesets 
> we
> may want to drop.
> Also, we can...whitelist if we need to from specific hosts and
> netblocks if needed..so they'll get through regardless.  Very 
> exciting!
> I may give you gents a call around 5:30ish on the way to my in-laws 
> to
> discuss.  Thanks gents!

Argh...please disregard...fast typing yet again :(


More information about the Bro mailing list