RE: Snort-Inline and worm containment

Check Point is now providing such capabilities at the firewall as part of their "Smart Defense" subscription service. Inspect code can be added so that a rule can be created to block malicious activity based on a signature.  

I am not sure how many different signatures they have developed, or will develop. I don't think anyone knows what type of performance hit will be experienced if you load up the firewall with these rules. See the URL below for their response to the SQL worm.  

-Ken  

http://www.checkpoint.com/securitycenter/advisories/cpai_2003_04.html

	-----Original Message----- 
	From: Shaiful [mailto:shaifuljahari@yahoo.com] 
	Sent: Wed 1/29/2003 7:29 PM 
	To: Tom McLaughlin 
	Cc: focus-ids@securityfocus.com 
	Subject: Re: Snort-Inline and worm containment
	
	

	Hi,
	
	I've never tried snort-inline but I believed the
	concept is similar to hogwash.
	
	If you want information about similar arrangement,
	just search for hogwash implementation.  Last time I
	checked there are quite a few.
	
	For the last Code Red worm outbreak, I've used hogwash
	and block Code Red. IMHO, Code Red is worst since it
	uses port 80 which normally open at the firewall.
	
	Running hogwash make me think why on earth the idea of
	stopping application attack at layer 2 or 3 is not
	popular before.  Actually I've been waiting for
	hogwash like program one year before it is released
	and mostly due to my poor coding skill. The idea is
	quite old if you bother to search snort mailing list.
	But looking at hogwash code, then I realised it is not
	really rocket science ;-)
	
	Regards,
	Shaiful
	
	
	--- Tom McLaughlin  wrote:

	> Hi everyone,


	
	
	__________________________________________________
	Do you Yahoo!?
	Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
	
http://mailplus.yahoo.com