[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Open source firewalls

To: Vinay Venkataraghavan <raghavanvinay@xxxxxxxxx>
Subject: Re: Open source firewalls
From: Nigel Rantor <wiggly@xxxxxxxxxx>
Date: Wed, 13 Jul 2005 18:04:52 +0100
Cc: linux-crypto@xxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
In-reply-to: <20050713163424.35416.qmail@web32110.mail.mud.yahoo.com>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:ecartis-owner@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
References: <20050713163424.35416.qmail@web32110.mail.mud.yahoo.com>
Sender: linux-crypto-bounce@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Vinay Venkataraghavan wrote:

Hello,

Hello, *devil's advocate hat on*

I have implemented an bare bones Intrusion detection
system that currently detects scans like open, bouce,
half open etc and a host of other tcp scans.

As an aside, why, we have snort?

I would like to develop this into a full blown IDS which is capable of detecting buffer overflow attacks, sql injection etc.

I know how to implement buffer overflow attacks. But how would an intrusion detection system detect a buffer overflow attack. My question is at the layer that the intrusion detection system operates, how will it know that a particular string for exmaple is liable to overflow a vulnerable buffer.

Erm, if you know how some buffer overflow attacks work then surely the answer is "it depends on the application". To tell if an application is vulnerable you would have to audit it in some manner. Either by checking the source or doing some black-box testing on it.

Even if you did have a great big database of apps and had identifed which of them had possible vulnerabilities it would be easier to simply fix them rather than get an external system to disallow such inputs.

And not forgetting that you would have to have some way for your IDS to tell what app was running behind a specific port. Thought about that yet?

Are there other open source firewall implementations
other than snort?

Snort isn't a firewall. Don't mix apples and oranges. Snort is an IDS. The current de-facto "firewall" for linux is the iptables suite.

Cheers,

n

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Open source firewalls
  - From: Vinay Venkataraghavan

Prev by Date: RE: Open source firewalls
Next by Date: ÅðáããåëìáôéêÞÖéëïîåíßá
Previous by thread: RE: Open source firewalls
Next by thread: Re: Open source firewalls
Index(es):
- Date
- Thread