[Dshield] DShield vs. Symantec: new features?
Erwin Van de Velde
erwin.vandevelde at ua.ac.be
Fri Jan 9 13:49:45 GMT 2004
On Friday 09 January 2004 13:42, Pete Cap wrote:
> >A year has only 12 months, and I'm not going to do my last year at
> > university twice if I can avoid it :-)
> An extra year in Antwerp can't be all that bad.
> This weekend, be sure to down a few at Den Engel for all of us who can't ;)
I can be in Antwerp, without having to study you know :-)
> Just offhand, what kinds of signs are you looking for as indicators that
> your LAN is being attacked? What exactly are you thinking of doing for
> "containment measures?"
I still have to build it, but for now I already have a client, and I put
Shorewall logs (with ulogd), snort logs, samhain logs, ipaudit stats and some
own logs in a postgresql database. It is my intention to make a server app
that checks the new data in the database every minute or so, and if, for
example one host opens to many connections to other computers on a certain
port, that this client could be shut down automatically, till further
investigation. If more than x clients violate this limit, they will all be
shut down, and this port will be closed on the firewall(s). This should
happen as locally as possible in the first place, to avoid further infections
to the rest of the network (thus on a subnet only for example), and if the
attack is really large, the firewall(s) with connections to the outside world
would be closed too...
There is only one bad thing in my opinion: this has to be configured very
carefully by the sysadmin. For example, if you don't have a local webserver
running on port 80, all traffic to a local host on port 80 is suspicious.
But, if you are hosting a webserver for public access, let's say Google
servers, 1000 connections in 1 second could be the normal situation. As I
cannot know the conditions on the network were the software is going to be
installed, a sysadmin will have to configure these trigger values for each
port, with a default of triggering on each arriving packet (most ports should
not receive any packet).
Other corrective action could be: if samhain sees that a file that should not
have changed, is changed: put the old one back from a backup. Or if a service
has been taken down, restart it automatically (for instance a MySQL database
that died on to many connection attempts).
Any comments or other ideas are allways welcome. Also, if there is better
software than ipaudit, for counting the number of connections made, this
would be a great help too... I already looked into some other products, but
they offer often a lot of more functionality I don't need, and have no plugin
for postgresql database logging. This makes things rather complicated, and
things get complicated enough already :-) If there is a way to make iptables
/ shorewall do this job, it would be great.
I want to look into this myself too, but after the exams...
Thanks in advance,
Erwin Van de Velde
Student of University of Antwerp
More information about the list