High Efficiency IPS

Printable View

Show 40 post(s) from this thread on one page

June 19th, 2007, 07:08 AM
d34dl0k1

High Efficiency IPS

Hi -

I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.

I know everyone is thinking "Snort" + snort-inline or something similar, but extreme simplicity and speed is what I need for my network.

I feel snort may be overkill when I expect to be using <10 signatures. It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.

Kind of an odd question... I know...
June 19th, 2007, 09:35 AM
SirDice

Quote:

Originally Posted by d34dl0k1

Hi -

I'm looking for either software (or a dirty hack) that will allow me to drop packets that meet very specific rules.

What kind of specific rules?

Quote:

It is research grade bandwidth on a critical link, so I assume a snort cluster would likely bottleneck my environment, and hopefully simpler something could operate without notice.

What kind of bandwidth are we talking about?
June 19th, 2007, 11:56 AM
oofki

He is trying to make the client drop packets so they have to be retransmitted and they get ddosed! Dont tell him how to do it!

Maybe you are looking for a "packet filtering" program? A rule based firewall would help you out there.
June 19th, 2007, 04:35 PM
d34dl0k1

for instance when remote code execution appears on a critical webserver, the IPS would be loaded with a rule to detect and drop the packet. when a patch is ready, the signature can be disabled. similar to any other server vulnerability that I would need to temporarily mitigate while patches are prepared.

AFAIK IPTables doesn't inspect the data in packets, only headers ...and now as I google it seems it has string matching

http://www.securityfocus.com/infocus/1531

wonderful. anyone use this feature?
June 19th, 2007, 04:40 PM
oofki

Wouldnt "Stateful Packet Inspection" work?
June 20th, 2007, 06:37 AM
d34dl0k1

This is about packet data, not transport headers.
June 20th, 2007, 06:44 AM
d34dl0k1

I have an example -

All I want to do right now is search for

Code:

exec('

in the data of packets towards 80, and then run a perl script on it when true. I feel like don't need all kinds of crap bloated software when I can just somehow pipe the damn packets through some simple code
June 20th, 2007, 10:53 AM
SirDice

Snort... But you don't seem to want that...
June 20th, 2007, 11:37 PM
d34dl0k1

Yeah... just seems like overkill for my purpose.
June 21st, 2007, 12:51 AM
nihil

Have you looked at the extent to which you can disable unwanted features and tailor the detection rules to better suit your particular requirements?

I was always given to understand that it was quite configurable?

Show 40 post(s) from this thread on one page