-
June 19th, 2007, 07:08 AM
#1
High Efficiency IPS
Hi -
I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.
I know everyone is thinking "Snort" + snort-inline or something similar, but extreme simplicity and speed is what I need for my network.
I feel snort may be overkill when I expect to be using <10 signatures. It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.
Kind of an odd question... I know...
-
June 19th, 2007, 09:35 AM
#2
Originally Posted by d34dl0k1
Hi -
I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.
What kind of specific rules?
It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.
What kind of bandwidth are we talking about?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 19th, 2007, 11:56 AM
#3
He is trying to make the client drop packets so they have to be retransmitted and they get ddosed! Dont tell him how to do it!
Maybe you are looking for a "packet filtering" program? A rule based firewall would help you out there.
-
June 19th, 2007, 04:35 PM
#4
for instance when remote code execution appears on a critical webserver, the IPS would be loaded with a rule to detect and drop the packet. when a patch is ready, the signature can be disabled. similar to any other server vulnerability that I would need to temporarily mitigate while patches are prepared.
AFAIK IPTables doesn't inspect the data in packets, only headers ...and now as I google it seems it has string matching
http://www.securityfocus.com/infocus/1531
wonderful. anyone use this feature?
-
June 19th, 2007, 04:40 PM
#5
Wouldnt "Stateful Packet Inspection" work?
-
June 20th, 2007, 06:37 AM
#6
This is about packet data, not transport headers.
-
June 20th, 2007, 06:44 AM
#7
I have an example -
All I want to do right now is search for
in the data of packets towards 80, and then run a perl script on it when true. I feel like don't need all kinds of crap bloated software when I can just somehow pipe the damn packets through some simple code
-
June 20th, 2007, 10:53 AM
#8
Snort... But you don't seem to want that...
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 20th, 2007, 11:37 PM
#9
Yeah... just seems like overkill for my purpose.
-
June 21st, 2007, 12:51 AM
#10
Have you looked at the extent to which you can disable unwanted features and tailor the detection rules to better suit your particular requirements?
I was always given to understand that it was quite configurable?
Similar Threads
-
By Guus in forum Miscellaneous Security Discussions
Replies: 4
Last Post: November 9th, 2004, 11:41 PM
-
By foxyloxley in forum Tech Humor
Replies: 3
Last Post: September 16th, 2004, 07:42 PM
-
By gothic_type in forum Code Review
Replies: 1
Last Post: May 5th, 2004, 11:59 PM
-
By backslap in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: January 12th, 2004, 06:26 AM
-
By preep in forum AntiOnline's General Chit Chat
Replies: 0
Last Post: May 16th, 2002, 11:11 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|