Solved

IDPS using Shorewall/SNORT??

Posted on 2006-10-26
6
1,388 Views
Last Modified: 2008-01-16
Group supports a small college with about 200 students.

We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network.  This appliance also handles DNS and DHCP.

Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access.  We are in essence getting internal DOS.

Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations.  Using SNORT we would like to detect the activity then shut down that workstation's access.

I know we can drop the client by IP address.  But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.

So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.

Or is there a better solution?

0
Comment
Question by:pwheat
  • 3
  • 3
6 Comments
 

Author Comment

by:pwheat
Comment Utility
I think we'll have to move DHCP to the internal box.
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
DHCP would be easier to control via the same box that snort is running on..

You might also want to consider shaping the traffic and scaling back the bandwidth available to these infected pcs to next to nothing and then this still allows them to download anti-spyware solutions etc albeit slowly.
0
 

Author Comment

by:pwheat
Comment Utility
Let me ask the question differently:

Can SNORT be configured to drop clients by MAC address as opposed to IP address?

Or, can SNORT be configured to disable DHCP services for certain MAC addresses?

Either way, the same results are achieved.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Yes Snort can be configured to take actions.

 This can be made to assign a static non routable address to the host based on MAC in the DHCP configuration  or use classes in DHCP and deny based on membership int aht class.

However the one problem i woudl see in doing this is the client will still have an address until the lease ends.


I do not believe snort can function at MAC address level only at IP level.
0
 

Author Comment

by:pwheat
Comment Utility
. ..
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 250 total points
Comment Utility
Look here for some ideas on using Snort with Shorewall

http://linux-bsd-central.com/index.php/content/view/15/

Also look at Guardian - This script can do some of that you want to do
http://www.chaotic.org/guardian/

Take the resulting Iptables rules with the Ip address do an arp and the resulting mac address gets parsed into the Dhcp exclusion list.

Also you could issue a DHCPRelease for that Ip to drop the offending pc off the network as well .
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now