[Discussion] Distributed Blocking

Matt Jonkman jonkman at jonkmans.com
Sun Mar 1 15:40:32 UTC 2009


You've described Snortsam here (www.snortsam.net). Long time favorite
tool of mine written by Frank Knobbe et al.

You use hubs that can talk to firewalls pretty much as you described.
You define sids that block, src or dst, and for how long. Then snortsam
handles the inserting and removing. Great tool, highly recommend using it.

We are definitely going to have to have something similar in the new
engine because we're looking at IP reputation. We also want to be able
to compare and block based on massive lists of IPs and reputation. But
we also need to be able to share block info with other perimeter devices.

I cant begin to tell you how effective it is to block an attacker on
your entire enterprise when they start to fool around at one point. I've
seen that drop the number of events of serious threat in an enterprise
more than 40%. That's a huge load off an analyst knowing that once an IP
demonstrated overt hostility they were blocked everywhere. Makes things
go very nice and quiet.

So yes, this definitely is something we need to make happen. Seems it'd
be a feature of a core central hub to manage the blocks, then maybe
relay block commands to remote sensors who may be the acutal blocker, or
closest to the external blocking device to communicate and make that
block. I'd definitely like to see this communication happen through the
existing sensor to core db connection though. Much easier for outside
tools to also then to read and manipulate that block stream as well.

Matt


Matt Jonkman wrote:
> Kevin Ross wrote:
> 
> For active response the ability to specify agentless blocking devices.
> i.e set up a pix/asa/iptables/pf firewall and say ssh into the device
> from the master sensor, go into the correct configuration mode and then
> enter in the appropriate command i.e ssh pix at firewall; enters the
> password; en; enters the password; conf t; shun ip or acl. Then after a
> set time remove the block. Also if it is an IPS the ability to say act
> inline but also have active response such as dropping the attack and
> blocking the ip or an attack is detected once drop it, if the same host
> attacks again block it completely,
> 
> 
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list