Thursday, May 18, 2006

OpenBSD PF logging with NSM

I haven't tried on this yet but this is just my shameless idea, since PF allows logging traffic of interest with log modifier, I'm thinking is it possible to just log only the network traffics that passing through the Firewall then running snort IDS on the PF logging pseudo interface which is pflog0. Additionally we also log the full content data of that interface. Yet with this method we only concentrate on the traffics that passing through the Firewall and ignoring the blocked traffic, we also save the space without logging every single bit(I bet you don't want to detect the blocked intrusion which is unsuccessful).

Another idea of mine would be The Automated Worm Screening System. I think this can be done with Open Source Tools. With snort2c, p0f, tcpkill/pfctl and OpenBSD PF, that's possible to block the worms propagation across networks. This is to create sort of Intrusion Prevention System but only concentrate on certain type of malicious traffics.

Last but not least, for people who have problem when writing PF filtering rules, you should enable the log features so that you know which filtering rules allow or deny the network traffic. That will slightly easier to debug instead of guessing blindly.

Just my 2 cent of da day .....

Cheers :]

5 comments:

Anonymous said...

how do i log traffic matching different set of rules to different log files

Anonymous said...

You could also use dup-to on your pass rules and then run Snort on another machine...

Anonymous said...

You could use bpf filters. Snort understands those. They could match your firewall policies. Then again, wouldn't you only see traffic that you permit anyways? Perhaps you are capturing traffic on the external interface of the firewall where you can see all traffic. In this case, I would use bpf filters.


http://www.snort.org/archive-5-656.html

JimmytheGeek said...

I don't like adding applications to the firewall.

I even feel uncomfortable deploying a complex piece of software like IPS on a chokepoint. That's just an application level firewall, anyway, but the scope for error is much larger and the kind of things IPS does (protocol decodes) seems to be rich with potential for error.

A lot of people feel otherwise. I just think it opens up a door to a 1-packet DoS if the attacker can figure out bad enough traffic. The more interaction with the packet, the closer to reality that scenario gets.

What about offline analysis of the pf logs?

C.S.Lee said...

I just discovered that logging with pflog0 will add the extra pf header with it's matching rules and other directives as well, that may cause IDS can't decode properly. Dup-to is always the best to go, and with bpf filter of course.

I'm not actually creating the IPS system, but just to stop automated worm from spreading across the net, and that's just an thought and I'm playing with it for fun :)

By the way, I'm not big fan of IPS and no extra applications on stand alone firewall.