Hi, i think you should try it, with a twist.
use snort, but only with the attack patterns you need, like the get, etc..
you described, so it won't be a 16kb
rule list. renice snort to the maximum. remove any services from the
linuxbox.
i am not a linux wizzard, but i am a modest security specialist.
the way i see it, you have 3 options, after all that i mentioned earlier:
a: since u didn't supply any information on u'r network hardwares i assume u
have a gigabit network connection. in this case u need a gigabit connection
card in u'r pc or sparc and connect it to the switch as a gateway, that
should do the trick the "easy" but costly way.
b: here comes the tricky but cool part. take 2 sparcs or pcs. they will now
play the roles of temp gateways.
divert half the transmitions from your router thru the 1st gateway and the
other half thru the second, and there you have it :).
c: this is the sad part. if you have only one concentrated connection and
one ip, than it's not so good. there is a chance however that your router
can do smart nat and split your transmissions into the two halfs mentioned
in option b, and there you have it. :)
i hope i got it right. I invite anyone to correct me if i am wrong.
* - * - *
Tzahi Fadida
Tzahi@mailandnews.com
Fax (+1 Outside the US) 240-597-3213
* - * - * - * - * - *
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Advanced Hosting UNIX
Admin Daniel Fairchild
Sent: Saturday, August 04, 2001 11:48 PM
To: muaddib@mailandnews.com; netfilter@lists.samba.org
Subject: Re: Can iptables be used to block....
I was considering that but My traffic flow is about 150 Mbs at peak. on the
best days usually around 80 - 100 Mbs on most days and hogwash says it has
trouble with traffic approaching or breaking the 100 Mbs range so I tossed
out that plan unless some one can show me where and what kind of hardware
their running something like that.
thanks for the help.
On Saturday 04 August 2001 17:27, you wrote:
> Check out HogWash http://hogwash.sourceforge.net/ block ips is a bad idea.
> Hogwash alters attack only packets and make them benign in conjunction
with
> snort.
>
> * - * - *
> Tzahi Fadida
> Tzahi@mailandnews.com
> Fax (+1 Outside the US) 240-597-3213
> * - * - * - * - * - *
>
>
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Tom Albrecht
> Sent: Saturday, August 04, 2001 10:36 PM
> To: netfilter@lists.samba.org
> Subject: Re: Can iptables be used to block....
>
>
> I don't believe so... since the only way you know it is an attack is by
> looking at the content, not the packets. I suppose if you were really
> ambitious, you could create a script that could go through your access
> logs, and when it sees the "GET /default.ida?" of an attack, it could
> execute an IPTABLES command to begin dropping packets from that IP.
>
> I don't how wise that would be, though...
>
> Tom Albrecht III
>
> At 03:26 PM 8/4/01 -0500, Advanced Hosting UNIX Admin Daniel Fairchild
>
> wrote:
> >The code red or default.ida requestes from a network and if so what would
> >that filter look like.
> >
> >TIA
> >
> >
> >--
> >
> >Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
--
Advanced Hosting UNIX Admin | Daniel Fairchild danielf@supportteam.net
To rate my service or provide feedback, please visit the following URL:
http://www.supportteam.net/rate.php3 Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.