Snort 2.9.4.6 pkg v2.6.1

A Former User

@Supermule:

:D

(my only comment to this)

Others buy flowers to apologize, others smile. As I said, I already accepted your apology.
No harm done, I just hope we all learned something new today :D

demco

jflsakfja:
Thanks for the detailed explanation.

Can snort be a true IPS (without leaking the initial offending packets), maybe under different OS/configuration? Or is it an inherent limitation on the software itself? So for a true IPS, we have to look for other software (suricata?) or commercial solutions.

Supermule

Dont listen to him seriuosly…

He hasnt proved anything besides "I am SO good and cant tell you where I work, but take my word for it".....

http://en.wikipedia.org/wiki/Intrusion_prevention_system

The main difference between IDS and IPS is that IPS acts actively and does something to the packet/intruder/IP sending the traffic that is caught by IDS.

Snort does a great job in PFSense whether it takes 0,0000000000000000001 second for the packet to be analyzed and thereby not beeing "inline" or "realtime" to someone!

I could easily state that I work for some government agency that wants access everywhere....and therefore be a trusted person. But I am not. I try to keep them out of what I have and so far so good.

They need to combat several obstacles to get in and PFsense with Snort is one of them...

A Former User

@demco:

jflsakfja:
Thanks for the detailed explanation.

Can snort be a true IPS (without leaking the initial offending packets), maybe under different OS/configuration? Or is it an inherent limitation on the software itself? So for a true IPS, we have to look for other software (suricata?) or commercial solutions.

Snort can be a true IPS if it's running in inline mode and all rules are changed to drop (or reject, but who wants to let an intruder know that someone is not home?).
Inline mode alters the way the whole system handles packets (there will be persons that scream at the top of their lungs that this is not the case, I'm explaining it as simply as I can). Basically instead of a packet coming in, the system (os,routing,pf etc etc) deciding what to do with the packet then forwarding it on to its destination, snort inline simply hooks into the system just before the routing. So, a packet comes in, the actual packet is forwarded to snort, snort analyses it, makes the decision of if it should allow it to pass through, then forwards the actual packet down the line (on to routing etc etc). If it's not allowed, snort discards the packet (assuming the rule says so, otherwise rejects it or allows it). If the packet is discarded, no packets travel through the system. If it is rejected, a packet rejecting the original packet will be sent down the incoming connection (wan side?).

As I said before, snort inline was abandoned in favor of suricata. I would choose to go with suricata if you want a true IPS. Don't know your requirements with regards to the connection speed, but there was work a couple years back to implement GPU processing of the packets in suricata, don't know how far that got. GPU processing means that you will max out the connection before maxing out the system, in other words you can handle all the traffic you want without breaking a sweat. That should rule out most commercial "IPS" systems.

Another tip (who am I to know right?) NEVER blacklist on an IPS (allow all, then decide what to reject). ALWAYS whitelist (block all, then allow what needs to pass through). Blacklisting basically makes the IPS useless. Whitelisting is a lot of work, but it is extremely worth it. Want to go all out with security? Install an IPS, then implement MLS on the systems behind it. Or just go with MLS and forget about the rest. This leads you to a system capable of storing above TOP SECRET stuff and if done right even the admin will have no control over it, and sure as hell is not required by most people. Last I heard there were about 200 people worldwide that knew what MLS stands for, and of those, 12 knew how to implement a true MLS system. 5 commited suicide when they started reading documentation about it, 34 were commited (they still fill all the walls they come across with jubberish) and 9 were never seen again. Dunno what happened to the rest of them. :D
Disclaimer: I'm not responsible if insanity takes over you. It takes upwards of 5 years to build a true MLS system, because a true MLS system always assumes it is compromised, at multiple points (physical, network stack, interprocess communication etc. etc.). You basically only allow what needs to be allowed, EVERYWHERE. Even the system does not trust itself, ie sha512sums of a process BEFORE running a process, which is in turn limited to the bare minimum that it needs access to. The only way to get into the system is with a sledgehammer, then again alarms will go off. Yes even compiling code pulled from multiple sources,multiple times, comparing sums of the files it produces, to update itself (code that's well inspected before by people in the know). Thinking about sniffing traffic between processes? Thought that ssh was the only use of encryption? And still think that the same key is used 5 minutes down the road? And no, getting into it at the hardware level doesn't work. Who said you can trust one of its CPUs is not be compromised? If the sys admin is trusted (ie NOT the run of the mill 5 masters, 2 PhDs and 50 years of experience) the system is as secure as it gets.

PS. I never said I work for the government. The government wasn't born knowing all the stuff it knows though ;)

Supermule

You run the Bell-LaPadula model??

A Former User

@jflsakfja:

snip…
mumble mumble....
ah, this is interesting: It takes upwards of 5 years to build a true MLS system, because a true MLS system always assumes it is compromised, at multiple points (physical, network stack, interprocess communication etc. etc.).
mumble mumble

So, it's not the BLP. (insert X sound here).You lost the chance to win the big price. Don't be dissapointed, you can try again next time. To all the people watching us at home, have a great weekend, goodnight everybody.

BLP trusts that Bob (who has a TOP SECRET clearance) does not take a document and de-classifies it himself. So BLP is build on a trust model where you trust the upper guys not to leak anything to the lower guys. The system I described is the ultra-paranoid conspiracy theorist from hell. It assumes, from the time of its first power up, that everybody out there is out to get it. Trust is an unknown word for it. It doesn't trust you in any way, you WILL be leaking stuff down to lower guys. That's the design goal anyways. Users get access to fragments of the documents they have clearance for (wouldn't want them memorizing the entrire document and verbally leaking it), and admins get no access to documents the users are producing (an admin sure as hell doesn't pass a top secret validation. All the admins that got it up to now, was out of neccessity). The highest level is the system. It makes the decissions, everybody else follows them. Hasn't evolved to the Matrix (yet). It did show sentient behaviour though when Lora typed in a cyber warfare document. She went missing 5 days later :D

Supermule

:D You watched WarGames to many times!

A Former User

I'm actually still looking for the old VHS with the original one on it, the new one is not so interesting. It's (in a reality distorted way of saying) really close to how a true MLS system behaves. It makes most decisions on its own.

AI is not something that's coming in the future. It was here 15 years ago. Imagine the thinking that went into the designing of a system (for lack of better term, a mini datacenter) that welds the door shut behind you (not rocket science, heat detectors to see no one is inside, a simple welder electrically ignited if the door is closed and the room is empty and travelling on a rail or a robotic welder to keep it all nice and tidy) because it doesn't expect any maintenance in the next 30 years (since most components are n+5 (n+five)). When the contract is over (talking about 7 or 8 figures here) no one will mind the 30K it takes for an armoured door to be rebuilt (they still use those 10K hammers right?).

I'll put my army hat on and say that most civilians should never need anything close to it. It's actually quite true. As you said, a simple firewall with a good IDS keeps out 99% of the bad guys (even a certain 192.17x.x.x/24 network. (extra x added so that I don't get droned to death ;)) BLP:This statement was never made (see the flaw?). Make the assumption that no services are running behind that box and that percentage just shot up to 99.99%.

sensoryvoltage

Hi, great work. Thanks for the support. I keep getting a  lot of (spp_sip) Maximum dialogs within a session reached alerts and then the IPs get blocked. Anyway to change the rule on this alert? They are basically false positives at this point. If I change the host attribute settings, does it affect this alert in anyway?

Supermule

Use the suppress icon to filter away blocks because of that SID.