Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: block connections in IPS

From: Geoff <gpoer () arizona edu>
Date: Thu, 02 Oct 2003 09:18:05 -0700
Hey Ravi,
        Well I have to disagree. Just cause I name my cat Dog doesn't make him a dog... just a confused cat :)

IPS or (Intrusion Prevention) does one thing that IDS (Intrusion Detection) does not, keeps the offending packet from 
reaching the destination.
An IDS that does active response will still allow the packet that trigger the alert to reach the destination (5-10 packets in our environment). While the connection may be torn down or one of the hosts blocked for some time period, the attack (if a one packet attack) was still attempted. 

An IPS, like hogwash has the option to drop the packet... meaning it never leaves the "other" interface and never reaches 
it's destination.
An in line IDS is just an IDS that does it's sniffing while living in the connection stream. However, it can do it's job just as easily from a span port or a tap. As far as FLEX-RESP is concerned (at least the reset portion) you will need to be running your span off a switch that is capable of receiving inbound packets on a monitoring (or span) interface. 

i.e. Cisco 6500 running cat OS can while a Cisco 6500 running Native IOS can not.

Living in-line will solve the Cisco span problem but that does not make it an IPS until it keeps that packet from 
reaching the destination.

Almost one cup in now :)

Geoff

Ravi Kumar wrote:

HI Geoff,

As far as I know I would say what a IPS is
IPS depends on the person who said it? Some people say it as IDS functionality to firewall while some says it next generation IDS. we can call the following as IPS , any device which has the capability of detecting the attacks and preventing these detects to succeed in causing damage.
- Inilne IDS : like snort_inline and hogwash, They sit inline ,takes each packet from the firewall ,process it against some signatures and decides whether to drop or alert or accept the packet. Hogwash also does the modification of the packet.
- Application based firewalls/IDS : These are nothing but layer 7 switches ,signature based. Placing them before firewall would help us blocking attacks before they reach the firewall itself. 

        - And there are hybrid switches, honeyd etc.,
Coming to my query snort_inline uses snort engine. But I agree snort_inline does not completely utilize all the snort preprocessors. So any point that is applicable to snort may be applicable to snort_inline also. 

Take a look at this comment,
" In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill the HTTP connection using the RST and/or ICMPs. In most of the cases connection is reset and sometimes it remains running and the file (dummy " cmd.exe" placed on Apache web server) is successfully downloaded. The possible explanation is that RST arrives too late for the connection to be reset since the response from server comes earlier with the right sequence number. The delayed RST is then discarded. Thus RST/ICMP is not a reliable security mechanism (exactly as claimed in the snort documentation)." -- Anton Chuvakin, Ph.D. 

So what could be the alternate way to effectively block the connections.

Regards,
Ravi.





At 10:41 PM 10/1/03 -0700, Geoff wrote:
I don't think you are correct on what an IPS is. A normal IDS can preform flex-response (in snort land) which send s resets. Active response features like ICMP error codes and shunning (applying dynamic acl's to routered interfaces or firewalls) are also enployed by different IDS vendors. IPS's work in a different fashion. 

They sit inline with your connection (or they are just an IDS).

                |---------------|
|---------|     |               |     |-----------|
| Border  |<--->|       IPS     |<--->|  Internal |
| Router  |     |               |     |  Router   |
|_________|     |_______________|     |___________|
Their is nothing that says on IDS can not sit inline as well however an IPS can ONLY sit in line and IDS can do both and still function. The difference is how far the packet goes after detection.
An IPS will drop the packet BEFORE it ever leaves the opposite interface from where it came in on. 
(X = Bad Packet)


                |----------------|
|---------|  X  |       X       |     |-----------|
| Border  |<--->|       IPS     |<--->|  Internal |
| Router  |     |(Packet Dropped)|     |  Router   |
|_________|     |________________|     |___________|
Some vendors will also write and ACL on the IN and OUT interfaces of the IPS for the source/destination IP and PORT pairs and block all traffic for a certain time (90 sec).
And IDS will send a reset of apply an acl but that is well after the packet has reached it destination. 

As far as false positives... that is a whole other email :)

Geoff

Ravi Kumar wrote:


Hi All,
IPS uses TCP Reset or ICMP to block connections. The drawback with this approach could be unsuccessful ness in resetting the connection. Do IPS have any other mechanism to block connections. 
Snort_inline uses TCP reset and ICMP error messages.
The other approach currently followed by some products is to configure policies automagically in the firewall to block particular connections. This may lead to many false positives. Is there any mechanism to reduce false positives and effectively block connections. 
Regards,
Ravi
The Views Presented in this mail are completely mine. The company is not responsible for what so ever. 
----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA
ROC HOME PAGE:
http://www.roc.co.in


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
The Views Presented in this mail are completely mine. The company is not responsible for what so ever. 

----------
Ravi Kumar CH
Rendezvous On Chip (I) Pvt Ltd
Hyderabad, INDIA

ROC HOME PAGE:
http://www.roc.co.in




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: