From: Andrew Lennon (alennon_uk@xxxxxxxxx)
Date: Fri Oct 12 2001 - 17:22:31 GMT-3
All,
This may be off topic, but I think is an important point as it raises
point regarding the demarcation on OSI layers.
I have just looked through http://www.snort.org news, which hogwash is
based on (1st line on page main text) and it says this:
Everyone and their brother has put out an advisory on NIMDA, the latest
worm to thrash IExplore, Outlook Express, and IIS. This worm does a
number of cute things that are well documented in the SANS advisory
available here.
Snort 1.8.1 included signatures to detect most of the attacks used by
NIMDA already, but just incase you need a refresher the signatures are
included here.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS multiple decode attempt"; \
flags:A+; uricontent:"%5c"; uricontent:".."; \
reference:cve,CAN-2001-0333; \
classtype:attempted-user; sid:970; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SER ...Read More
read more links to http://www.snort.org/article.html?id=31
Doesn't look like layer 2 or even 3, more like 4-7
Please correct me if I am wrong!!
Cheers,
Andy
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jon CCIE-study Account
Sent: 12 October 2001 20:46
To: louie kouncar; ccielab@groupstudy.com
Subject: OT: Re: A firewall Question
Hi Louie
Some information I found. It might be the "layer 2 firewall" you was
asking
about..
http://hogwash.sourceforge.net/
Hogwash is a layer 2 packet scrubber based on the snort signature
engine.
Hogwash sits in line, and forwards or drops packets based on signature
matches.
Cisco Secure Consulting Analysis by Venkat Pothamsetty, Security
Research
Engineer
Hogwash is a firewall operating at the link layer. There are a couple of
interesting things that distinguish Hogwash from the rest of the bunch.
First, in addition to operating at the link layer, it does not require
an IP
stack on the machine it runs on. Because of that, it is much harder for
an
attacker to mount attacks on the firewall machine itself, and
practically
impossible to launch attacks above the link layer. Secondly, because
Hogwash
is based on snort, the user will be able to pass or drop packets based
on
IP/TCP/UDP header values and even data content. It is also easier for
the
user to configure the tool: the only required arguments are snort rules
file, the inside interface, and the outside interface.
Best regard,
Jon Bennedsgaard
----- Original Message -----
From: "louie kouncar" <lkouncar@UU.NET>
To: <ccielab@groupstudy.com>
Sent: Friday, October 12, 2001 7:02 PM
Subject: A firewall Question
> All,
>
> I have been working with Check point firewall for a while, and just
today
I
> heard a guy say that there is a kind of firewall that is a layer 2
device,
> anyone can comment on that please....
>
> Thank you
>
>
>
> Louie J. Kouncar CCIE #7994
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3