Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule processing and other how they work is there any real difference that should sway me to pick one of the other?
For a server in an offline environment, how would I download a package from http://pkg.openindiana.org/dev? (or the better known http://pkg.oracle.com)
There is an install link which downloads a p5i file, with machine readable download information, but there is no http URL to the downloadable package file(s) or the listing of files.
I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections.
So that users can't connect to their work PCs with TV (circumventing domain authentication) but at the same time could connect to clients PCs to help fix problems.
Is it at all possible?
I'm trying to figure out how to bridge two vmware (server or workstation, workstation) or virtualbox networks together with a linux IDS/IPS system transparently inline between both the virtual networks. How do I accomplish this? I understand how to bridge to virtual networks together, but how to I make the linux virtual machine sit between them and force traffic to go across the transparent bridge?
I would like to have something along the lines of:
vmnet a
various vms
host-only network
---->
inline linux box
vmnet a boxes forced to go through here to get to the internet
--->
vmnet b
network with internet access
configured as either NAT or bridged
-->
internet
I know that basically the linux box needs two virtual nics, one on vmnet a and vmnet b, but other than that, I don't know how to force all the traffic to go across the "transparent" bridging linux box on its way to the internet. Do vmnet a and b have to be the same ip network with the same default route? does vmnet a not have a default route and vmnet b have a default route? I've read in vmware forums that on the linux host you need to change permissions on the vmnet files for promiscuous mode? is this true? how do you configure this scenario on a windows box?
We have a Cisco ASA 5510 firewall with the IPS module installed.
We have a customer that we must connect to via VPN to their network to exchange files via FTP. We use the Cisco VPN client (version 5.0.01.0600) on our local workstations, which are behind the firewall and subject to the IPS.
The VPN client is successful in connecting to the remote site. However when we start the FTP file transfer we are able to upload only 150K to 200K of data, then everything stops. A minute later the VPN session is dropped.
I think I have isolated this to an IPS issue by temporarily disabling the Service Policy on the ASA for the IPS with the following command:
access-list IPS line 1 extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 inactive
After this command was issued I then established the VPN to the remote site and was successful in transferring the entire file.
While still connected to the VPN and FTP session I issued the command to enable the IPS:
access-list IPS line 1 extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
The file transfer was tried again and was once again successful so I closed the FTP session and reopened it, while keeping the same VPN session open. This file transfer was also successful. This told me that nothing with the FTP programs was being filtered or causing the problem. Furthermore, we use FTP to exchange files with many sites everyday without issue.
I then disconnected the original VPN session, which was established when the access-list was inactive, and reconnected the VPN session, now with the access-list active. After starting the FTP transfer the file stopped after 150K.
To me this seems like the IPS is blocking, or somehow interfering with the initial VPN setup to the remote site.
This only started happening last week after the latest IPS signature updates were applied (sig version 407.0). Our previous sig version was 95 days old becuase the system was not auto updating itself.
Any ideas on what could be causing this problem?