[Dshield] DShield vs. Symantec: new features?

Erwin Van de Velde erwin.vandevelde at ua.ac.be
Fri Jan 9 13:49:45 GMT 2004

On Friday 09 January 2004 13:42, Pete Cap wrote:
> >A year has only 12 months, and I'm not going to do my last year at
> > university twice if I can avoid it :-)
> Erwin,
> An extra year in Antwerp can't be all that bad.
> This weekend, be sure to down a few at Den Engel for all of us who can't ;)
I can be in Antwerp, without having to study you know :-)

> Just offhand, what kinds of signs are you looking for as indicators that
> your LAN is being attacked? What exactly are you thinking of doing for
> "containment measures?"

I still have to build it, but for now I already have a client, and I put 
Shorewall logs (with ulogd), snort logs, samhain logs, ipaudit stats and some 
own logs in a postgresql database. It is my intention to make a server app 
that checks the new data in the database every minute or so, and if, for 
example one host opens to many connections to other computers on a certain 
port, that this client could be shut down automatically, till further 
investigation. If more than x clients violate this limit, they will all be 
shut down, and this port will be closed on the firewall(s). This should 
happen as locally as possible in the first place, to avoid further infections 
to the rest of the network (thus on a subnet only for example), and if the 
attack is really large, the firewall(s) with connections to the outside world 
would be closed too...

There is only one bad thing in my opinion: this has to be configured  very 
carefully by the sysadmin. For example, if you don't have a local webserver 
running on port 80, all traffic to a local host on port 80 is suspicious. 
But, if you are hosting a webserver for public access, let's say Google 
servers, 1000 connections in 1 second could be the normal situation. As I 
cannot know the conditions on the network were the software is going to be 
installed, a sysadmin will have to configure these trigger values for each 
port, with a default of triggering on each arriving packet (most ports should 
not receive any packet).

Other corrective action could be: if samhain sees that a file that should not 
have changed, is changed: put the old one back from a backup. Or if a service 
has been taken down, restart it automatically (for instance a MySQL database 
that died on to many connection attempts).

Any comments or other ideas are allways welcome. Also, if there is better 
software than ipaudit, for counting the number of connections made, this 
would be a great help too... I already looked into some other products, but 
they offer often a lot of more functionality I don't need, and have no plugin 
for postgresql database logging. This makes things rather complicated, and 
things get complicated enough already :-) If there is a way to make iptables 
/ shorewall do this job, it would be great.
I want to look into this myself too, but after the exams...

Thanks in advance,

Erwin Van de Velde
Student of University of Antwerp

More information about the list mailing list