Hogwash Vs snort-inline Vs Iptables

Hogwash Vs snort-inline Vs Iptables

[Murugavel Thiruvengadam]

Hi

We are implementing IPS(intrusion prevention system).

Hogwash prevent packets only in router/ bridge mode. Anyone implemeted
HOGWASh in IDS mode(prevent spurious traffic).

snort-inline also do the same.

Even in iptables also we will block using string patch.

Iptables will work in kernel level . What about the others. 

Please reply.


Regards
TMurugavelu

Re: Hogwash Vs snort-inline Vs Iptables

[Cedric Blancher]

Le mar 31/08/2004 à 15:58, Murugavel Thiruvengadam a écrit :
> Iptables will work in kernel level . What about the others. 

Snort Inline relies on Netfilter as it gets packets using iptables QUEUE
target. This means you have total control of traffic being filtered by
Netfilter and traffic being filtered by Snort Inline. That's why I do
prefer Snort Inline to Hogwash.

Speaking of string match in iptables, forget it. One basic  able thing
an IPS/IPS has to implement is fragmentation resistance. String match
will not work against TCP fragmentation, as it is a per packet match, so
it will not detect an attack payload split on two TCP packets.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Hogwash Vs snort-inline Vs Iptables

[Jose Maria Lopez]

El mar, 31 de 08 de 2004 a las 16:08, Cedric Blancher escribió:
> Le mar 31/08/2004 à 15:58, Murugavel Thiruvengadam a écrit :
> > Iptables will work in kernel level . What about the others. 
> 
> Snort Inline relies on Netfilter as it gets packets using iptables QUEUE
> target. This means you have total control of traffic being filtered by
> Netfilter and traffic being filtered by Snort Inline. That's why I do
> prefer Snort Inline to Hogwash.
> 
> Speaking of string match in iptables, forget it. One basic  able thing
> an IPS/IPS has to implement is fragmentation resistance. String match
> will not work against TCP fragmentation, as it is a per packet match, so
> it will not detect an attack payload split on two TCP packets.

And besides this snort-inline is actively being developed and I have
read in the snort.org web site that it will be integrated in the
plain snort, in the other side you have an almost dead project like
hogwash that it's still alpha code and not being so actively developed.
Hogwash it's also too heavy at using resources like memory.

First option should be snort-inline. It's my opinion.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"