Wednesday, August 10, 2005

Bleeding Snort Hosts bait-and-switch Snort Enhancement

The Bleeding Snort project announced a new Snort preprocessor called bait-and-switch. It's currently available as a patch to Snort 2.4.0. Snort must be running in inline mode, and the current implementation is Linux-specific as it uses SNAT and DNAT features of IPTables.

bait-and-switch lets inline Snort users create rules that redirect traffic when bait-and-switch rules are triggered. The idea is to send suspicious source IPs to another host (perhaps a honeypot) when their actions trigger specially designed rules. I think this is a novel idea but I do not see it being used in most production networks. Will Metcalf says his implementation is a rewrite of an idea by Jack Whitsitt (aka jofny) of Violating.us. I expect to see resources like this used in honeynets, research locations, and tightly-controlled, high-value networks where policies are defined well enough to justify triggering redirection.

Update: Here's the original Sourceforge site.

1 comment:

Anonymous said...

I've found it's really particularly usefull for content-based signatures...where you know tagged-data of type A shouldn't cross gateways from Network1 to Network2. If it does, you have an issue and should re-route to for a) protection and b) further monitoring..:)

-jofny