For many years used protect web servers and modest lab

250 Chapter 11 • Intrusion Prevention and Protection

If the Guard decides that the zone is really being attacked, it determines which traffic may be spoofed and drops all spoofed sources. It does this by a number of techniques, the most effective being TCP cookies or TCP SYN-cookies. With HTTP, it even spoofs an HTTP redirect to verify the authen-ticity of the sender. Obviously, if the source address is spoofed, this is a sure way to confirm it.The redirect will never happen!

For all other traffic,TCP, UDP, and IP, it drops anomalous sources (pri-marily based on rate) or imposes rate limits on them.

It can operate in a number of modes—notably both Layer 3 and Layer 2. However, at Layer 3 or 4, if you can live with your device having an IP

<interface eth1>
Type=linux_raw
Proto=Ethernet
Role=external
</interface>

# IPLists are just lists of IP addresses for specific processing #
<IPList WebServers>
81.2.94.81
</list>

www.syngress.com

</routing>

################ end
Ethernet1 is defined as the outside interface and Ethernet0 the inside. Packets are simply forwarded across the bridge.The configuration file also shows that the default actions were (the configuration is long gone): 1. Tell the console.

The other great feature is the “mangle” feature, which allows you to alter packets more extensively:

<rule>
ip dst(WebServers)
tcp dst(80)
tcp nocase(cmd.exe)

<rule>
ip dst(AllServers)
tcp nocase(/etc/passwd)
message=attempt to retrieve /etc/passwd
action=default

</rule>

/usr/local/hw/rules/stock.rules -l
/var/log/hogwash

www.syngress.com

■ Sending reset commands or killing processes

■ Dropping individual packets

Why Hogwash? Well, it’s an outstanding product that will give the reader with time on his hands an insight into the most exciting part of network security.

www.syngress.com