Re: OT: An Idea for an IDS
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then parse the log and look for suspicious things. If it found
> > something suspicious it would use regular expression to grab out
> > pertinent parts of the log (say the IP address) and act on the log
> > accordingly (in real time) by say dropping an IPTABLE rule down on the
> > IP address.
> >
> > Are there any projects out there to do this right now. If not, is this
> > a good idea? If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
>
> Not really a good idea. Consider what happens when someone forges the IP
> addresses.
Unless you only apply this kind of rule based on traffic which implies a
negotiation. If _there is_ a negotiation between the client and the server
(they exchange SYN, ACKs and so on), then you do know that the source IP is
one of:
a) The real client.
b) Another computer in their same LAN sniffing the traffic and generating the
appropiate responses, ala Man In The Middle, in which case, hey you lost
service because another computer in your network was bugging me and I cut
your traffic.
-- OR --
c) Someone in _your own LAN_ trying to fuck you, but not, wait, that can't
happen because then they would come from a different network interface and so
you'd know the IP has been forged (you cannot have a petition from
213.96.93.221 coming from your internal interface, as you cannot have one
from 192.168.1.1 coming from the external one).
If I'm wrong, please tell me
Regards
The Pope
--
Luis Gomez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
lgomez@infoemergencias.com
PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Reply to: