[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: m0n0wall + Snort
 Date:  Tue, 21 Jun 2005 10:28:39 -0400 
On 6/21/05, Bob Rich <rrich at gstisecurity dot com> wrote:
> 
> I don't know for sure, but i would imagine that snort runs on FreeBSD 4 just fine...isn't there a
potential for using the m0n0 platform for hosting snort?  The firewall and vpn capabilities could be
trimmed to host protection only to avoid the dual use concerns illustrated below.  GUI pages for
pointing to mysql or syslog boxen for output (to maintain 'embedability'), stealth port
configuration, rule editing, etc should be much simpler than what is already in place for m0n0wall.
> 

FreeBSD is the platform of choice for many of the most accomplished
and recognized people in the IDS/NSM (Network Security Monitoring)
world, so sure, it'd work.

What wouldn't work really well on the type of setup m0n0wall runs is
keeping the necessary session data and other log info to make the IDS
worthwhile.  It's not feasible to dump all that over to syslog and/or
mysql, and m0n0wall's file system isn't conducive to that type of
system.

What the people who are fooled by the marketing folks of firewall
devices with built in IDS don't realize is they're practically useless
in that context.  First, what some call "IDS" has only a couple dozen
signatures detecting attacks like the "ping of death" that haven't
been used (effectively) since the 90's.  If you're still vulnerable to
decade-old attacks, you have way more issues than needing an IDS. 
Secondly, even if they do include a full blown IDS ruleset, I've yet
to see any that provide anything much more than a one line "Alert -
XYZ exploit detected".

So, how do you know it really was an exploit attempt on that, and not
a signature mismatch?  Can't see the actual packets, so you don't
know.  How did your server respond, or did it respond at all?  Sorry,
can't figure that out either.  For all you know, the exploit worked,
and the server is rootkitted.  So you can't trust the machine, and the
only way to then tell with certainty what happened is to go into
incident response mode, pull the server offline, and examine with
known-good tools.

My point is, if you think these firewall-embedded IDS systems are
actually doing much of anything for you, you're seriously mistaken and
have drank way too much of the marketing Kool Aid.  If anybody knows
of a firewall that does provide full session data, I'd love to hear
about it.

I'd strongly recommend http://www.bookpool.com/sm/0321246772 if you
have further interest in this area.

-Chris