The world of intrusion detection is starting to change. People are interested in not only detecting attacks, but preventing them. This shift of focus has led to the development of a new class of security tool, the Intrusion Prevention System (IPS). While the term IPS bears the strong odor of a marketing department, the concept is attractive.
Some of the solutions on the market (advertised as IPS) are really just network IDS installed locally on servers and workstations throughout the enterprise, but some are truly designed to detect and prevent intrusions. There are several intrusion prevention strategies being developed and deployed, including host-based memory and process protection mechanisms, session interception (sniping), and network firewall/gateway solutions. The Honeynet project has done some great work with Snort Inline and similar technologies in their second generation Honeypots. You can look at their work at http://project.honeynet.org.
Several intrusion detection strategies have been developed, including:
- Host-based memory and process protection
Systems for monitoring process execution and killing processes that appear malicious; for example, processes that are trying to execute a buffer overflow. These tools are interesting, but not particularly related to Snort.
- Session interception
Terminates a TCP session by sending an RST (reset) packet. When the flexible response plug-in is enabled, Snort can automatically terminate TCP sessions that appear to be hostile attacks using the flexible response plug in. This feature is also called session sniping.
- Gateway intrusion detection
Snort can block hostile traffic using Snort Inline (thus acting as a router), or send messages to other routers manipulating their access lists to block hostile traffic using SnortSAM.
Figure 8-1 is Snort running as a session interceptor using the flexible response plug-in. When an attack is detected, RST packets are sent to the hosts, ending the conversation.
Figure 8-2 shows Snort running as firewall/router/IPS. When an attack is detected, all future traffic from the attacker is blocked.
Figure 8-3 shows Snort running with SnortSAM.
When an attack is detected, the border router is directed to block inbound traffic from the attacking host.