NetSQUID
Current Version: 1.4.2 - Released 8.10.2004






Implementation Details
Our setup
Feature List

Implementation Details:

The main NetSQUID process opens and reads the snort alert log to gather information about which computers are infected.  Upon seeing an alert, depending on the NetSQUID configuration options, one of two things is done.  If NetSQUID is configured to block on the classtype (used in the snort rule), then the classtype (classification) of the rule is checked and then that host is either blocked or not.  If NetSQUID is configured to block on every alert (default behaviour), then the host is blocked for the configured time limit. 

Once an infected host is blocked, all of its web traffic is redirected to a webserver of our choice.  In our implementation, the web page contains links to clean-up tools. The customer can remove the worm or virus with no help from us (in most cases).

It is also possible to send a WinPopUp message to the infected computer upon receipt of the first notice of infection. This could alert the user to the infection sooner, if they are not running a web browser. (This works only for Windows based clients). 

Once a host stops generating alerts the 'countdown' begins until they are automatically unblocked. 

Two different types of logs are kept.  One set is of the currently blocked hosts, the other is a permanent record of all hosts that have generated an alert.

It is also possible to kick off a thread that will send out DHCP address requests, and if you have a Snort rule that will look for DHCP address offers from a 'non' authorized DHCP server you can now block rogue DHCP servers.  This also offers the ability to send an email once a rogue server is detected, which allows for more immediate action against the rogue server.

Other...

  • Sample Config
  • Exclude list (of IPs that should never be blocked)
  • Syslog logging - of restart/shutdown/start of daemon
  • Reread of config etc via SIGHUP
  • IPTables ruleset
    • Allows traffic to/from all or specified DNS servers
    • Ability to not redirect traffic to/from a specific webserver
    • Block rule for the 'infected' host
    • Redirection rule for the 'infected' host web traffic (port 80)

Our Setup

  • Slackware Linux v9.1
  • Linux Kernel 2.6.3
  • Local webserver for redirection and notification
    • CGI scripts that display the information about currently blocked hosts, to both the blocked host and the help desk
  • Snort v2.x.x
  • System Specs
    • Intel Gig Ethernet cards
    • 2Ghz Intel Celeron CPU
    • 512MB Ram
    • 40GB Hard drive

Feature List

_Stable_
  • Allow traffic to/from specified DNS servers
  • Not redirect port 80 for a specified host
  • Dump/Keep state on restart (via SIGUSR1)
  • Block based on rule classification
  • Exclude IP list
  • Exclude IP list (CIDR support)
  • Redirect Web Traffic
  • Block Traffic from a host
  • Rogue DHCP server discover
  • Email alert on DHCP server discovery
  • Definable time limit for block
  • Logs for currently blocked host
  • History logs for each blocked host
  • Multi-threaded
  • Run as a daemon or in foreground
Additional features in _Working_
  • WinPopUp Notification
  • Preprocessor Blocking
  • Passing of HTTP and HTTPS traffic to defined servers
  • Option of redirecting HTTPS and/or HTTP traffic
  • Option of not allowing DNS trafic


netsquid@net.tamu.edu
Last Update: 10/21/2004
Updated: NetSQUID
NetSQUID