Michael Rash, Security Researcher

ShmooCon Talk: Attack Detection and Response with Linux Firewalls

ShmooCon Talk: Linux Firewalls I will be giving a talk at ShmooCon entitled Attack Detection and Response with Linux Firewalls. Here is the talk description:

Most people think of iptables as a packet filtering and mangling firewall within the Linux kernel. Although this characterization is true, iptables also provides such a powerful set of features that it can assist in the detection and visualization of network-based attacks. Through the use of the Netfilter string match extension, packet application layer data can be examined and acted upon by iptables. The end result is that a significant percentage of Snort rules can be run directly within the Linux kernel via iptables, and a program called "fwsnort' automates the translation process from Snort rules to equivalent iptables rules. In addition, by combining the "psad" and "AfterGlow" projects, some stunning graphical representations of attacks can be generated due to the completeness of the Netfilter logging format. This talk will present advanced usages of fwsnort and psad, and new versions will be released at ShmooCon.

(Update: 12/09/2007): A video of my talk is available here, and slides can be downloaded as well.

If you are planning on attending ShmooCon, please stop by for a chat; the schedule is available here.