Hi all,
i'm trying snort with guardian.
I'm wondering how good this two programs can be togheter to protect my fw.
I have this doubt, excuse me if i didn't read all the snort documentation yet, because i can't realize how fast can be snort in detecting bad trafic expecially on a busy gw.
During the last our, i saw the guardian do his job in blocking the trafic from a suspicoius server/ip that was sending me a virus but only after that the connection was already closed.

The bad email with the virus has been delivered and after the end of the connection the snort/guardian has detected and put down a drop rule.

Do i miss something?
Do i need more computing power?
Does the snort do some kind of buffering and does it analyze the packets?
I suppose that expecially on busy gw and with a lot of packets per second this is the only way it can work. Am' i right?

Wich other tools like snort + guardian are available to analyze and block suspicious ip and from one of you reading this post already tested with success?.

Can snort detect p2p traffic made from clients that access the internet through a proxy like kadza ? How can i avoid and control that kind of traffic ?

thank you and merry Christmas to everybody.

Mik

because i can't realize how fast can be snort in detecting bad trafic expecially on a busy gw.
Snort propaganda sez something about near-flawless detection on Gigabyte links, so.


During the last our, i saw the guardian do his job in blocking the trafic from a suspicoius server/ip that was sending me a virus but only after that the connection was already closed.
Detection isn't the same as blocking. I never did test Guardian for it's speed, but since it's a perl script I'm sure the interval it reads the log is tweakable.


Do i need more computing power?
HW/SW specs of the box?


Does the snort do some kind of buffering and does it analyze the packets?
Buffering in general I don't know, packet buffering yes, but only for fragments, and log buffering is a syslog/disk thing I suppose. Yes it does analyse packets, that's what makes it preferable over "dumb" portscan alerters like portsentry.


Wich other tools like snort + guardian are available to analyze and block suspicious ip and from one of you reading this post already tested with success?.
Check out the LQ FAQ: Security references, theres a part on IDSes.


Can snort detect p2p traffic made from clients that access the internet through a proxy like kadza ?
It's not about port access, it's the signatures. KaZaA v2 is harder to stop because it scans for other accessable ports.


How can i avoid and control that kind of traffic ?
Have and enforce a policy that denies local(net) users to run P2P SW.


merry Christmas to everybody.
Merry Christmas to you too. Bit early this year :-]

Hi, i paste a reply that i've received from the snort-user mailing list
Mik,
A number of issues here see below:-

>Hi all,
>i'm trying snort with guardian.
>I'm wondering about the performance that i can obtain
>from them togheter to protect my fw.
>I have this doubt, excuse me if i didn't read ALL the
>snort documentation yet, because i can't realize how
>fast can be snort in detecting bad trafic expecially
>on a busy gw.
>During the last hour, i saw the guardian do his job in
>blocking the trafic from a suspicoius server/ip that
>was sending me a virus but only after that the
>connection was already closed.

This is to be expected, when I used guardian on average the first
one or two packets got through before guardian re-acted, if memory
serves me correctly it looks for new entries every second by which
time the first packet that caused the alert is long gone. guardian
and iptables/ipchains or whatever then takes time to put the block in
place. Then no more subsequent attacks until guardian opens things
again. I used to use two days for the drop duration.

>The bad email with the virus has been delivered and
>after the end of the connection the snort/guardian has
>detected and put down a drop rule.

Personally with e-mail I don't touch this at the firewall level
but sort all the problems in the e-mail server and strip out
the viruses and do the spam filtering before passing it over to
the user accounts.

>Do i miss something?
>Do i need more computing power? i'm using a P3 with
>256 Mb ram.
>Does the snort do some kind of buffering and does it
>analyze the packets after a while?
>I suppose that expecially on busy gw and with a lot of
>packets per second this is the only way it can work.
>Am i right?

>Wich other tools like snort + guardian are available
>to analyze and block suspicious ip and from one of you
>reading this post already tested with success?.

I like snort_inline but it assumes you have an iptables based
firewall and as with guardian you have to eliminate
false positives from your selected rules otherwise valid
traffic gets dropped.

>Can snort detect p2p traffic made from clients that
>access the internet through a proxy like kadza ? How
>can i avoid and control that kind of traffic ?

>Tahnk you very much


>Mik

Hope the above helps
Brian.