Hosting Provided By

RE: Snort-Inline and worm containment

From: Rob Shein <shoten(at)starpower.net>
Date: Thu Jan 30 2003 - 12:13:04 EST

The Honeynet Project uses a variant of Snort-Inline for an almost identical purpose in their 2nd Generation Honeynets. Their goal is to prevent the compromise of other networks or hosts due to attacks originating from the Honeynet. The difference is that while they only prevent outbound traffic from having an impact, I imagine you're considering the opposite. Their implementation also allows the traffic out, but munges parts of it to render it ineffective against the outside target.

On the downside, however, they have little to worry about in the way of false positives; it's a honeynet, so any traffic in or outbound from it is almost certain to be hostile, and is definitely not of any production value (as we normally consider the term).

> -----Original Message-----
> From: Tom McLaughlin [mailto:tmclaugh@sdf.lonestar.org]
> Sent: Tuesday, January 28, 2003 9:19 PM
> To: focus-ids@securityfocus.com
> Subject: Snort-Inline and worm containment
>
>
> Hi everyone,
Received on Fri Jan 31 11:34:48 2003

This message: [ Message body ]
Next message: Rob Shein: "RE: Active response... some thoughts."
Previous message: Stone Cold: "Re: Active response... some thoughts."
In reply to Tom McLaughlin: "Snort-Inline and worm containment"
Next in thread: Shaiful: "Re: Snort-Inline and worm containment"
Reply: Shaiful: "Re: Snort-Inline and worm containment"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT