IDPS using Shorewall/SNORT??

Group supports a small college with about 200 students.

We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network.  This appliance also handles DNS and DHCP.

Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access.  We are in essence getting internal DOS.

Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations.  Using SNORT we would like to detect the activity then shut down that workstation's access.

I know we can drop the client by IP address.  But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.

So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.

Or is there a better solution?

pwheatAsked:
Who is Participating?
 
prueconsultingConnect With a Mentor Commented:
Look here for some ideas on using Snort with Shorewall

http://linux-bsd-central.com/index.php/content/view/15/

Also look at Guardian - This script can do some of that you want to do
http://www.chaotic.org/guardian/

Take the resulting Iptables rules with the Ip address do an arp and the resulting mac address gets parsed into the Dhcp exclusion list.

Also you could issue a DHCPRelease for that Ip to drop the offending pc off the network as well .
0
 
pwheatAuthor Commented:
I think we'll have to move DHCP to the internal box.
0
 
prueconsultingCommented:
DHCP would be easier to control via the same box that snort is running on..

You might also want to consider shaping the traffic and scaling back the bandwidth available to these infected pcs to next to nothing and then this still allows them to download anti-spyware solutions etc albeit slowly.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
pwheatAuthor Commented:
Let me ask the question differently:

Can SNORT be configured to drop clients by MAC address as opposed to IP address?

Or, can SNORT be configured to disable DHCP services for certain MAC addresses?

Either way, the same results are achieved.
0
 
prueconsultingCommented:
Yes Snort can be configured to take actions.

 This can be made to assign a static non routable address to the host based on MAC in the DHCP configuration  or use classes in DHCP and deny based on membership int aht class.

However the one problem i woudl see in doing this is the client will still have an address until the lease ends.


I do not believe snort can function at MAC address level only at IP level.
0
 
pwheatAuthor Commented:
. ..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.