Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: High Efficiency IPS

  1. #1
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58

    High Efficiency IPS

    Hi -

    I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.

    I know everyone is thinking "Snort" + snort-inline or something similar, but extreme simplicity and speed is what I need for my network.

    I feel snort may be overkill when I expect to be using <10 signatures. It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.

    Kind of an odd question... I know...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by d34dl0k1
    Hi -

    I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.
    What kind of specific rules?

    It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.
    What kind of bandwidth are we talking about?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    He is trying to make the client drop packets so they have to be retransmitted and they get ddosed! Dont tell him how to do it!

    Maybe you are looking for a "packet filtering" program? A rule based firewall would help you out there.

  4. #4
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    for instance when remote code execution appears on a critical webserver, the IPS would be loaded with a rule to detect and drop the packet. when a patch is ready, the signature can be disabled. similar to any other server vulnerability that I would need to temporarily mitigate while patches are prepared.

    AFAIK IPTables doesn't inspect the data in packets, only headers ...and now as I google it seems it has string matching

    http://www.securityfocus.com/infocus/1531

    wonderful. anyone use this feature?

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Wouldnt "Stateful Packet Inspection" work?

  6. #6
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    This is about packet data, not transport headers.

  7. #7
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    I have an example -

    All I want to do right now is search for

    Code:
    exec('
    in the data of packets towards 80, and then run a perl script on it when true. I feel like don't need all kinds of crap bloated software when I can just somehow pipe the damn packets through some simple code

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Snort... But you don't seem to want that...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    Yeah... just seems like overkill for my purpose.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Have you looked at the extent to which you can disable unwanted features and tailor the detection rules to better suit your particular requirements?

    I was always given to understand that it was quite configurable?

Similar Threads

  1. The Dutch form new National High Tech Crime Center (NHTCC)
    By Guus in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: November 9th, 2004, 11:41 PM
  2. High Tech Computer Sales Jargon
    By foxyloxley in forum Tech Humor
    Replies: 3
    Last Post: September 16th, 2004, 07:42 PM
  3. Java High Score List
    By gothic_type in forum Code Review
    Replies: 1
    Last Post: May 5th, 2004, 11:59 PM
  4. Cable or High Speed DSL?
    By backslap in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: January 12th, 2004, 06:26 AM
  5. questions bout high and low level langs
    By preep in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: May 16th, 2002, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •