[Discussion] IPS features: traffic normalization
Victor Julien
lists at inliniac.net
Mon Oct 20 22:52:39 UTC 2008
Since I became interested in security I've always been more interested
in the prevention side than 'just' the detection side. Which explains my
involvement in the Snort_inline project. I also have another project
that is a firewall manager for Linux/iptables (it's called Vuurmuur,
www.vuurmuur.org).
One thing I'm very much interested in is advanced traffic normalization.
In an inline setup, we control everything that is passed so we can
rewrite it or replace it. In Snort_inline we do this in two ways: (1)
some TCP packet rewriting, mostly to adjust the TCP window and (2) by
the replace action, that allows you to replace a rule-specified string
in the payload by a rule-specified string of the same length. It's all
pretty limited, and I think extending this would be very useful.
I think we should be able to have the engine normalize all packets we
want it to. For example if we don't want to support TCP SACK, remove it
from the packet. Same for TCP wscaling, etc. This is actually quite
simple to implement. More interesting will be to have advanced data
layer normalization. I think something like a regex search and replace
would be great to have.
One use case could be working around proxies leaking credentials (like
Will wrote about here:
http://node5.blogspot.com/2007/12/proxies-behaving-badly.html). We could
have rules detecting and removing such leakage from a stream.
Another even more advanced example would be to force randomization upon
the stream, for example in the Kaminsky DNS issues forcing randomization
upon the transaction ID space.
Thoughts?
Cheers,
Victor
More information about the Discussion
mailing list