Solved

IDPS using Shorewall/SNORT??

Posted on 2006-10-26
6
1,487 Views
Last Modified: 2008-01-16
Group supports a small college with about 200 students.

We have a Shorewall firewall/web filter/access mgmt solution in place between the ISP access and the internal network.  This appliance also handles DNS and DHCP.

Problem is that malware-infected PCs are hogging the bandwidth of the student T1 Internet access.  We are in essence getting internal DOS.

Our plan is to put a similar appliance on the internal interface, to detect and control rogue workstations and malware-afflicted workstations.  Using SNORT we would like to detect the activity then shut down that workstation's access.

I know we can drop the client by IP address.  But to restrict access on a more permanent basis, we need a way to remove that client from DHCP eligibility by MAC address.

So, SNORT needs to write to a table of MAC addresses that will be excluded from DHCP eligibility.

Or is there a better solution?

0
Comment
Question by:pwheat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:pwheat
ID: 17812234
I think we'll have to move DHCP to the internal box.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 17819497
DHCP would be easier to control via the same box that snort is running on..

You might also want to consider shaping the traffic and scaling back the bandwidth available to these infected pcs to next to nothing and then this still allows them to download anti-spyware solutions etc albeit slowly.
0
 

Author Comment

by:pwheat
ID: 17819526
Let me ask the question differently:

Can SNORT be configured to drop clients by MAC address as opposed to IP address?

Or, can SNORT be configured to disable DHCP services for certain MAC addresses?

Either way, the same results are achieved.
0
Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17820755
Yes Snort can be configured to take actions.

 This can be made to assign a static non routable address to the host based on MAC in the DHCP configuration  or use classes in DHCP and deny based on membership int aht class.

However the one problem i woudl see in doing this is the client will still have an address until the lease ends.


I do not believe snort can function at MAC address level only at IP level.
0
 

Author Comment

by:pwheat
ID: 17839291
. ..
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 250 total points
ID: 17839472
Look here for some ideas on using Snort with Shorewall

http://linux-bsd-central.com/index.php/content/view/15/

Also look at Guardian - This script can do some of that you want to do
http://www.chaotic.org/guardian/

Take the resulting Iptables rules with the Ip address do an arp and the resulting mac address gets parsed into the Dhcp exclusion list.

Also you could issue a DHCPRelease for that Ip to drop the offending pc off the network as well .
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question