Solved

IDPS using Shorewall/SNORT??

Posted on 2006-10-26
6
1,470 Views
Last Modified: 2008-01-16
Group supports a small college with about 200 students.

We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network.  This appliance also handles DNS and DHCP.

Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access.  We are in essence getting internal DOS.

Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations.  Using SNORT we would like to detect the activity then shut down that workstation's access.

I know we can drop the client by IP address.  But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.

So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.

Or is there a better solution?

0
Comment
Question by:pwheat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:pwheat
ID: 17812234
I think we'll have to move DHCP to the internal box.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17819497
DHCP would be easier to control via the same box that snort is running on..

You might also want to consider shaping the traffic and scaling back the bandwidth available to these infected pcs to next to nothing and then this still allows them to download anti-spyware solutions etc albeit slowly.
0
 

Author Comment

by:pwheat
ID: 17819526
Let me ask the question differently:

Can SNORT be configured to drop clients by MAC address as opposed to IP address?

Or, can SNORT be configured to disable DHCP services for certain MAC addresses?

Either way, the same results are achieved.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17820755
Yes Snort can be configured to take actions.

 This can be made to assign a static non routable address to the host based on MAC in the DHCP configuration  or use classes in DHCP and deny based on membership int aht class.

However the one problem i woudl see in doing this is the client will still have an address until the lease ends.


I do not believe snort can function at MAC address level only at IP level.
0
 

Author Comment

by:pwheat
ID: 17839291
. ..
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 250 total points
ID: 17839472
Look here for some ideas on using Snort with Shorewall

http://linux-bsd-central.com/index.php/content/view/15/

Also look at Guardian - This script can do some of that you want to do
http://www.chaotic.org/guardian/

Take the resulting Iptables rules with the Ip address do an arp and the resulting mac address gets parsed into the Dhcp exclusion list.

Also you could issue a DHCPRelease for that Ip to drop the offending pc off the network as well .
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question