• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IDS Add-on?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> 3rd Party Add-ons >> IDS Add-on? Page: [1]
Login
Message << Older Topic   Newer Topic >>
IDS Add-on? - 7.Mar.2008 9:31:41 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
I just downloaded the 2006 SDK and I was looking through the examples.  Is it possible to write an IDS based on Snort's signatures?  Has anyone had experience with performance and custom add-ons? 
Post #: 1
RE: IDS Add-on? - 8.Mar.2008 3:10:16 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I think a much lower mountain to climb would be to find some way to interface snort with ISA, rather than writing a whole new IDS engine for ISA!

I looked into this a while back and I'm really surprised that the *only* way to get data into snort was to have it sniffed off the wire.  If snort supported (for example) ICAP as a data source, then it would be trivial to interface it to proxies such as ISA.

So if you feel like writing a bunch of code, my advice is go make an ICAP server for snort.. Then I can point you at an ICAP client for ISA :)

(in reply to fixitchris)
Post #: 2
RE: IDS Add-on? - 8.Mar.2008 10:01:57 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Are you referring to http://www.faqs.org/rfcs/rfc3507.html?

Typical data flow:

     origin-server
         | /|\
         |  |
      5  |  |  4
         |  |
        \|/ |              2
     ICAP-client    -------------->   ICAP-resource
     (surrogate)    <--------------   on ICAP-server
         | /|\             3
         |  |
      6  |  |  1
         |  |
        \|/ |
        client


So you're passing HTTP packet via RPC to SNORT ICAP server, SNORT processes the packet and if a signature match is found ISA gets a "DROP" message via RPC and drops the packet?

Is that what you're getting at?

(in reply to ferrix)
Post #: 3
RE: IDS Add-on? - 8.Mar.2008 10:05:58 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Yes that's what I meant.  In short, use ICAP (or some other preferable way) to make ISA talk to an existing IDS instead of building a brand new IDS from scratch as a filter.  It's not that you couldn't build a new one.. just that it seems like a lot of work to me :)

It should be noted that for HTTP traffic you can use Snort with ISA *already* if you chain 2 ISA servers and snort the wire between them.  And if you run ClearTunnel then that snort can even inspect inside outbound HTTPS traffic.  Needless to say, in that configuration you need to be certain that the middle network is isolated from unauthorized snooping.

(in reply to fixitchris)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> 3rd Party Add-ons >> IDS Add-on? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts