[Bro] Impact of going from IDS to IPS

[James Lay]

Gents,

So after much work I've changed the IDS to IPS ONLY on the 
bpadslgateway for testing.  There are some pros and cons to this setup, 
so here we go.

Reference again that the way the linux firewall works is with an INPUT 
and FORWARD table.  Packets destined FOR the linuxbox are the INPUT 
table, anything behind the firewall are FORWARD.  So, with this new 
method, we create a queue that says "send everything to snort first to 
see if we drop or not, then continue on".  I created a test rule:

drop tcp 71.39.117.84 any -> any 80 (msg:"Test 80"; sid:10000053;)

Which just says drop anything coming from me to http.  The results:

10:23:56 bpadslgateway  [1:10000053:0] Test 80 {TCP} 71.39.117.84:53922 
-> 63.224.241.69:80

And I was blocked...woo hoo!  In order to implement this, the last bit 
would be to change groups of alerts (betting all web server groups to 
start) from alerting to dropping.

Now...the con of all this is that snort will now ONLY listen to what's 
coming in and out of the FORWARD table...so that means we won't see IDS 
alerts that actually hit the linuxbox, which, to be honest, isn't that 
big of a deal considering nothing is open to the outside world..at least 
on the DMZ node box.  I think we should take a look at what rulesets we 
may want to drop.

Also, we can...whitelist if we need to from specific hosts and 
netblocks if needed..so they'll get through regardless.  Very exciting!  
I may give you gents a call around 5:30ish on the way to my in-laws to 
discuss.  Thanks gents!

James



Here's the Snort list:

app-detect.rules
attack-responses.rules
backdoor.rules
bad-traffic.rules
blacklist.rules
botnet-cnc.rules
browser-chrome.rules
browser-firefox.rules
browser-ie.rules
browser-other.rules
browser-plugins.rules
browser-webkit.rules
chat.rules
content-replace.rules
ddos.rules
deleted.rules
dns.rules
dos.rules
experimental.rules
exploit-kit.rules
exploit.rules
file-executable.rules
file-flash.rules
file-identify.rules
file-image.rules
file-java.rules
file-multimedia.rules
file-office.rules
file-other.rules
file-pdf.rules
finger.rules
ftp.rules
icmp-info.rules
icmp.rules
imap.rules
indicator-compromise.rules
indicator-obfuscation.rules
indicator-scan.rules
indicator-shellcode.rules
info.rules
local.rules
malware-backdoor.rules
malware-cnc.rules
malware-other.rules
malware-tools.rules
misc.rules
multimedia.rules
mysql.rules
netbios.rules
nntp.rules
oracle.rules
os-linux.rules
os-mobile.rules
os-other.rules
os-solaris.rules
os-windows.rules
other-ids.rules
p2p.rules
phishing-spam.rules
policy-multimedia.rules
policy-other.rules
policy.rules
policy-social.rules
policy-spam.rules
pop2.rules
pop3.rules
protocol-dns.rules
protocol-finger.rules
protocol-ftp.rules
protocol-icmp.rules
protocol-imap.rules
protocol-nntp.rules
protocol-pop.rules
protocol-rpc.rules
protocol-scada.rules
protocol-services.rules
protocol-snmp.rules
protocol-telnet.rules
protocol-tftp.rules
protocol-voip.rules
pua-adware.rules
pua-other.rules
pua-p2p.rules
pua-toolbars.rules
rpc.rules
rservices.rules
scada.rules
scan.rules
server-apache.rules
server-iis.rules
server-mail.rules
server-mssql.rules
server-mysql.rules
server-oracle.rules
server-other.rules
server-samba.rules
server-webapp.rules
shellcode.rules
smtp.rules
snmp.rules
specific-threats.rules
spyware-put.rules
sql.rules
telnet.rules
tftp.rules
virus.rules
voip.rules
VRT-License.txt
web-activex.rules
web-attacks.rules
web-cgi.rules
web-client.rules
web-coldfusion.rules
web-frontpage.rules
web-iis.rules
web-misc.rules
web-php.rules
x11.rules

And the Emerging Threats rulesets:
emerging-activex.rules
emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-chat.rules
emerging-ciarmy.rules
emerging-compromised.rules
emerging.conf
emerging-current_events.rules
emerging-deleted.rules
emerging-dns.rules
emerging-dos.rules
emerging-drop.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-ftp.rules
emerging-games.rules
emerging-icmp_info.rules
emerging-icmp.rules
emerging-imap.rules
emerging-inappropriate.rules
emerging-info.rules
emerging-malware.rules
emerging-misc.rules
emerging-mobile_malware.rules
emerging-netbios.rules
emerging-p2p.rules
emerging-policy.rules
emerging-pop3.rules
emerging-rbn-malvertisers.rules
emerging-rbn.rules
emerging-rpc.rules
emerging-scada.rules
emerging-scan.rules
emerging-shellcode.rules
emerging-smtp.rules
emerging-snmp.rules
emerging-sql.rules
emerging-telnet.rules
emerging-tftp.rules
emerging-tor.rules
emerging-trojan.rules
emerging-user_agents.rules
emerging-voip.rules
emerging-web_client.rules
emerging-web_server.rules
emerging-web_specific_apps.rules
emerging-worm.rules