Re: Open source firewalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vinay Venkataraghavan wrote:
Hello,

Hello, *devil's advocate hat on*

I have implemented an bare bones Intrusion detection
system that currently detects scans like open, bouce,
half open etc and a host of other tcp scans.

As an aside, why, we have snort?

I would like to develop this into a full blown IDS
which is capable of detecting buffer overflow attacks,
sql injection etc.
I know how to implement buffer overflow attacks. But
how would an intrusion detection system detect a
buffer overflow attack. My question is at the layer
that the intrusion detection system operates, how will
it know that a particular string for exmaple is liable
to overflow a vulnerable buffer.

Erm, if you know how some buffer overflow attacks work then surely the answer is "it depends on the application". To tell if an application is vulnerable you would have to audit it in some manner. Either by checking the source or doing some black-box testing on it.

Even if you did have a great big database of apps and had identifed which of them had possible vulnerabilities it would be easier to simply fix them rather than get an external system to disallow such inputs.

And not forgetting that you would have to have some way for your IDS to tell what app was running behind a specific port. Thought about that yet?

Are there other open source firewall implementations
other than snort?

Snort isn't a firewall. Don't mix apples and oranges. Snort is an IDS. The current de-facto "firewall" for linux is the iptables suite.

Cheers,

  n

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux