Solved

IDPS using Shorewall/SNORT??

Posted on 2006-10-26
6
1,452 Views
Last Modified: 2008-01-16
Group supports a small college with about 200 students.

We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network.  This appliance also handles DNS and DHCP.

Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access.  We are in essence getting internal DOS.

Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations.  Using SNORT we would like to detect the activity then shut down that workstation's access.

I know we can drop the client by IP address.  But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.

So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.

Or is there a better solution?

0
Comment
Question by:pwheat
  • 3
  • 3
6 Comments
 

Author Comment

by:pwheat
ID: 17812234
I think we'll have to move DHCP to the internal box.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17819497
DHCP would be easier to control via the same box that snort is running on..

You might also want to consider shaping the traffic and scaling back the bandwidth available to these infected pcs to next to nothing and then this still allows them to download anti-spyware solutions etc albeit slowly.
0
 

Author Comment

by:pwheat
ID: 17819526
Let me ask the question differently:

Can SNORT be configured to drop clients by MAC address as opposed to IP address?

Or, can SNORT be configured to disable DHCP services for certain MAC addresses?

Either way, the same results are achieved.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17820755
Yes Snort can be configured to take actions.

 This can be made to assign a static non routable address to the host based on MAC in the DHCP configuration  or use classes in DHCP and deny based on membership int aht class.

However the one problem i woudl see in doing this is the client will still have an address until the lease ends.


I do not believe snort can function at MAC address level only at IP level.
0
 

Author Comment

by:pwheat
ID: 17839291
. ..
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 250 total points
ID: 17839472
Look here for some ideas on using Snort with Shorewall

http://linux-bsd-central.com/index.php/content/view/15/

Also look at Guardian - This script can do some of that you want to do
http://www.chaotic.org/guardian/

Take the resulting Iptables rules with the Ip address do an arp and the resulting mac address gets parsed into the Dhcp exclusion list.

Also you could issue a DHCPRelease for that Ip to drop the offending pc off the network as well .
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Create Sample Internet Traffic 1 88
Cannot upgrade to version 2.2.6 of PFSense firewall 4 208
CLOUD SECURITY 3 78
Microsoft Advanced Firewall Isolation 6 77
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question