F.A.Q

1. What does NetSQUID mean?
2. Who is involved/contributed to this thing?
3. How do I update the Signatures so I can catch new/better worms?
4. Where can I get the rules that you use?
5. Writing CGI scripts isn't fun, can I have yours?
6. What kind of hardware should I use?
7. How is this currently deployed at TAMU?
8. Why does this only work on Linux?

Answers

1. What does NetSQUID Mean?
   
   Well, we really like squids, and I suspect even networks need them. Actually it means Network Security QUarantine/Isolation Device. Fancy huh?



2. Who is involved/contributed to this thing?
   
   There are many people that have made the possible, from coding to naming, to pointing out spelling mistakes and coding mistakes. Here is a list in no particular order.
   • Ellen Mitchell
   • R. Tyler Ballance
   • splunty
   • Mark Nipper
   • Mike Sconzo
   • Dave Duchscher
   • Daryl Hawkins
   • Kristen Kubenka
   
   
   
3. How do I update the Signatures so I can catch new things?
   
   It's simple. Just add them to the rules file(s) that you are currently using for Snort. Chances are they are in a 'something.rule' file. If I helped in anyway they are probably in /usr/local/snort/rules/local.rules. There are also a number of tools for Snort that can be used, Oinkmaster is a popular one. Then just -HUP the snort process with something similar to "kill -HUP `cat /var/run/snort_'interface'.pid`"



4. Where can I get the rules that you use?
   
   Sometime I hope to have the rules that we use posted here.
   But, for now you can try several websites that I personally like:
   
   • http://snort.infotex.com/bleeding.rules
   • http://www.snort.gitflorida.com/phpBB2/
   • http://sourceforge.net/projects/virus4snort/ Not active yet, but watch for it
   Update: Our rule file is now available here.



5. Writing CGI scripts isn't fun, can I have yours?
   
   Sure! I'm cleaning them up and making them a bit more generic, but they will be available for download, soon, I promise.



6. What kind of hardware should I use?
   
   We are currently using a setup that will handle about 400mb (give or take)
   
   1. Intel Gig Ethernet cards
   2. 2Ghz Intel Celeron CPU
   3. 512MB Ram
   4. 40GB Hard drive
   All that in a handy 14" deep 1u rackmountable case for about $650.00 USD. It's a SuperMicro box, if you would like to know more about who we purchase them from email us.



7. How is this currently deployed at TAMU?
   
   Currently, we have around 50 boxes in production. They sit as a bridging firewall (this means they are inline), and usually on the 'subnet' side of the default gw (router). So it looks like this...

     [Router] --- [NetSQUID] --- [||||||](switches for subnet)

   They are managed via an SSH script that allows easy deployment of system files etc ... There are also a few local apps that allow some kind of information gathering (so we can check on process information, see stats, and system info).



8. Why does this only work with Linux?
   
   We are currently using Linux because of a Perl lib. that is available that allows the manipulation of the IPTables in memory. Which means that we can save time and speed things up, by not making a bunch of external calls to programs.

netsquid@net.tamu.edu
Last Update: 10/21/2004
Updated: NetSQUID