learning firewall

learning firewall

[Pablo Allietti]

hi all i have a question. 

exist any soft based in iptables to have the option LEARN ?? 

example 

i run snort in my system when detect a intrusion add the ip address to
the iptables table. 

exist this ??
-- 


Pablo Allietti
LACNIC
-----------------------------------------------------------
L A C N I C   VII
SAN JOSÉ, COSTA RICA
26 al 29 DE OCTUBRE 2004
http://lacnic.net/sp/lacnicVII.html
-----------------------------------------------------------

Re: learning firewall

[Jose Maria Lopez]

El jue, 02 de 09 de 2004 a las 21:16, Pablo Allietti escribió:
> hi all i have a question. 
> 
> exist any soft based in iptables to have the option LEARN ?? 
> 
> example 
> 
> i run snort in my system when detect a intrusion add the ip address to
> the iptables table. 
> 
> exist this ??

I think I remember there such a tool in the snort web site. Look
for it in www.snort.org, but have in mind that this kind of
tools are prone to DOS attacks, because someone can send you
spoofed traffic and you will be blocking IP addresses you don't
want to.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: learning firewall

[Alejandro Flores]

	Hello Pablo,

	Take a look at the contrib folder in snort sources, there's a program
called Guardian. It read alerts generated by snort and add a dynamic
rule to iptables to block the source.
	Another one is SnortSam, which can block in iptables, checkpoint, pix,
etc.. etc...

Regards,
Alejandro Flores


> hi all i have a question. 
> 
> exist any soft based in iptables to have the option LEARN ?? 
> 
> example 
> 
> i run snort in my system when detect a intrusion add the ip address to
> the iptables table. 
> 
> exist this ??
-- 
--
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.org/

Re: learning firewall

[Nick Drage]

On Thu, Sep 02, 2004 at 04:16:45PM -0300, Pablo Allietti wrote:

> hi all i have a question. 
> 
> exist any soft based in iptables to have the option LEARN ?? 
> 
> example 
> 
> i run snort in my system when detect a intrusion add the ip address to
> the iptables table. 
> 
> exist this ??

As well as snort the program "fwlogwatch" has a daemon option you can
use.  I haven't used it myself, so I can only tell you it's there,
rather than how useful it is.

-- 
mors omnia vincit

Re: learning firewall

[Miguel Angel Amador L]

Hi All,
 I have a questions, what module i must be install for the P2P
conections ? (sorry for my english, is very slow)
 Thnx a lot 

Regards
 Miguel Amador L.

Re: learning firewall

[Jose Maria Lopez]

El vie, 03 de 09 de 2004 a las 14:44, Miguel Angel Amador L escribió:
> Hi All,
>  I have a questions, what module i must be install for the P2P
> conections ? (sorry for my english, is very slow)
>  Thnx a lot 
> 
> Regards
>  Miguel Amador L.
> 

The port I use to block P2P (or to allow them if you want) are:

KAZAA 1214/tcp
NAPSTER 8888/tcp 7777/tcp 8875/tcp
EDONKEY/EMULE 4662/tcp 4663/tcp
WINMX 6699/tcp

But have in mind that some of this programs can use SOCKS proxies or
even standard ports like port 80/tcp to send or receive traffic. It
can be a little tricky to stop them (easier to allow them, just open
this ports and they will run).


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: learning firewall

[Eric Ellis]

Jose Maria Lopez wrote:
> El vie, 03 de 09 de 2004 a las 14:44, Miguel Angel Amador L escribió:
> 
>>Hi All,
>> I have a questions, what module i must be install for the P2P
>>conections ? (sorry for my english, is very slow)
>> Thnx a lot 
>>
>>Regards
>> Miguel Amador L.
>>
> 
> 
> The port I use to block P2P (or to allow them if you want) are:
> 
> KAZAA 1214/tcp
> NAPSTER 8888/tcp 7777/tcp 8875/tcp
> EDONKEY/EMULE 4662/tcp 4663/tcp
> WINMX 6699/tcp
> 
> But have in mind that some of this programs can use SOCKS proxies or
> even standard ports like port 80/tcp to send or receive traffic. It
> can be a little tricky to stop them (easier to allow them, just open
> this ports and they will run).
> 
> 
I will be the first of many to say the following:

Don't allow everything and drop what you don't want to get in.  This is 
bad form from a security standpoint, as there will almost always be new 
things that use different ports.  Best practice is to drop everything, 
and allow what you want through explicitly.  The initial set up might be 
more difficult, and your rule list probably longer than the other way, 
but in the end, your network security is what matters, and this practice 
will help ensure that much better.

-- 
Eric Ellis
Gilchrist County Sheriff's Department
IT Coordinator
eellis@mail.co.gilchrist.fl.us
352-463-3181

Re: learning firewall

[Jose Maria Lopez]

El sáb, 04 de 09 de 2004 a las 23:34, Eric Ellis escribió:
> Jose Maria Lopez wrote:
> > El vie, 03 de 09 de 2004 a las 14:44, Miguel Angel Amador L escribió:
> > 
> >>Hi All,
> >> I have a questions, what module i must be install for the P2P
> >>conections ? (sorry for my english, is very slow)
> >> Thnx a lot 
> >>
> >>Regards
> >> Miguel Amador L.
> >>
> > 
> > 
> > The port I use to block P2P (or to allow them if you want) are:
> > 
> > KAZAA 1214/tcp
> > NAPSTER 8888/tcp 7777/tcp 8875/tcp
> > EDONKEY/EMULE 4662/tcp 4663/tcp
> > WINMX 6699/tcp
> > 
> > But have in mind that some of this programs can use SOCKS proxies or
> > even standard ports like port 80/tcp to send or receive traffic. It
> > can be a little tricky to stop them (easier to allow them, just open
> > this ports and they will run).
> > 
> > 
> I will be the first of many to say the following:
> 
> Don't allow everything and drop what you don't want to get in.  This is 
> bad form from a security standpoint, as there will almost always be new 
> things that use different ports.  Best practice is to drop everything, 
> and allow what you want through explicitly.  The initial set up might be 
> more difficult, and your rule list probably longer than the other way, 
> but in the end, your network security is what matters, and this practice 
> will help ensure that much better.

I totally agree with that. If you look at our project bastion-firewall
you should note that it always uses a deny policy and then open the
ports you want to. What I was referring to it was that many people want
to allow P2P, and that allowing P2P it's easier than blocking them, but
of course the default policy in any modern firewall should be to deny
all ports and then allow the traffic in some of them.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

RE: learning firewall

[Daniel Chemko]

Pablo Allietti wrote:
> hi all i have a question.
> 
> exist any soft based in iptables to have the option LEARN ??
> 
> example
> 
> i run snort in my system when detect a intrusion add the ip address to
> the iptables table.
> 
> exist this ??

No, but you can use Snort itself to manage blocking connections. Look
for the snort-inline project for more information on how this works.
http://sourceforge.net/projects/snort-inline