From owner-freebsd-security@FreeBSD.ORG  Wed Feb 25 20:02:10 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 61CDA16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 25 Feb 2004 20:02:10 -0800 (PST)
Received: from web12609.mail.yahoo.com (web12609.mail.yahoo.com
	[216.136.173.179])
	by mx1.FreeBSD.org (Postfix) with SMTP id 43B2B43D2D
	for <freebsd-security@freebsd.org>;
	Wed, 25 Feb 2004 20:02:10 -0800 (PST)
	(envelope-from bj93542@yahoo.com)
Message-ID: <20040226040210.25663.qmail@web12609.mail.yahoo.com>
Received: from [24.24.80.58] by web12609.mail.yahoo.com via HTTP;
	Wed, 25 Feb 2004 20:02:10 PST
Date: Wed, 25 Feb 2004 20:02:10 -0800 (PST)
From: Dorin H <bj93542@yahoo.com>
To: Matthew George <mdg@secureworks.net>
In-Reply-To: <20040225122505.M28880@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-security@freebsd.org
Subject: Re: improve ipfw rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2004 04:02:10 -0000


--- Matthew George <mdg@secureworks.net> wrote:
> On Wed, 25 Feb 2004, Borja Marcos wrote:
> 
> > > It is my hope that someday someone will step in
> and implement a similar
> > > system under FreeBSD. 
> 
> The difference is that snort is still packet based. 
> You'd need to have
> the concept of data stream analysis in order to
> really implement an
> effective application layer protocol analysis
> engine.
> 
Snort http plugin does "application-level" stream
analysis, AFAIK. Why you could not design a similar
plugin, or just some well written rules ? (just 2c)Use
snortsam to alert the firewall (FBSD ipf for example)
to block the traffic, and keep the fw free of stateful
traffic analysis as much as possible. For the sake of
performance.
BTW, does anyone know if snortsam work with ipfw?
/Dorin.


__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools