[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 Cc:  "C. Falconer" <cfalconer at avonside dot school dot nz>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problems with net4501
 Date:  Wed, 13 Oct 2004 14:25:47 -0400 
If you want reactive, something else to consider is maybe is a NIDS that 
can "see" this behavior and act accordingly. Something like Bro http://bro-
ids.org/ would be good for this.

Or any other log parsing util that can email alert.

Hmmm, maybe I should look at a port of m0n0wall that adds Bro NIDS for a 
reactive firewall...???

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Jeffrey Goldberg <jeffrey at goldmark dot org>:

> [mailed and posted]
> 
> On Oct 12, 2004, at 11:08 PM, C. Falconer wrote:
> 
> > Then is this something that m0n0wall should address?
> >
> > IE, the internal IP 192.168.12.34 is spewing crap and fills up over  
> > 99% of
> > the state table on its own.  Maybe the firewall should drop that IP and
> > somehow inform the admin?
> 
> Yes and no.  This sort of thing is addressed by an Intrusion Detection  
> System (IDS).  m0n0wall doesn't have an IDS built in, but it can work  
> with them.  All of these work by having the m0n0wall log actions onto  
> some other machine,  This is under
> 
>   Diagnostics --> Logging --> Settings
>    Enable syslog'ing to remote syslog server.
> 
> And also see
> 
>     http://m0n0.ch/wall/docbook/ref-logging.html
> 
> The IDS will analyze those logs, and take various actions.
> 
> I recently asked about IDSs and my summary was posted in
> 
>     
> http://m0n0.ch/wall/list/? 
> action=show_msg&actionargs[]=97&actionargs[]=70
> 
> Also check Chet Harvey's follow-up with an additional tool in
> 
>     
> http://m0n0.ch/wall/list/? 
> action=show_msg&actionargs[]=97&actionargs[]=77
> 
> I do not know whether traffic shaping could have actively dealt with  
> this problem
> (I'm new to m0n0wall and sophisticated firewalls and have a great deal  
> to learn).  But certainly implementing the kinds of rules for out-bound  
> traffic discussed in my summary would have prevented the problem.
> 
> -j
> 
> 
> -- 
> Jeffrey Goldberg                        http://www.goldmark.org/jeff/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>