Re: [SLUG] Looking for a firewall

From: Brian Coyle (brian@linuxwidows.com)
Date: Sat Aug 09 2003 - 15:56:22 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 08 August 2003 22:39, Greg Schmidt wrote:
> Hi Slugs,
>
> I'm looking for some thing-a-ma-bob that can filter packets by an
> arbitrary string anywhere in the packet and then decide to drop it or
> forward it.

[snip]

> Has anyone heard of some software that can do this?

I think snort-inline [1] can do this. However, you're venturing into
Intrusion Prevention System (IPS) territory. IPS is the marketing
buzzword of the month [2] - there are too many false positives. And as
Andrew mentioned, you risk evasion or worse a false negative.

GOOD LUCK!

[1] http://www.snort.org/dl/contrib/patches/inline/

[2] Every IDS vendor I've spoken with agrees, however some mysterious
    market driver insists they develop and attempt to sell IPS. I tell'em
    until their IDS can go many months without a false positive/negative,
    I won't consider IPS.

- --
deja moo - the feeling you've heard this bull before...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php

iD8DBQE/NVHwER3MuHUncBsRArL1AJ9M9Mda39k3STYsQ8Viot3DI0rkPwCfQMvC
uKAKYoQ1VfUKqi3BeWEmtm0=
=QVZq
-----END PGP SIGNATURE-----
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:52 EDT