digg

Facebook Connect Join Digg About

Impressive Open Source Intrusion Prevention System

hlbr.sourceforge.net HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn't need even an IP address). Detection of malicious/anomalous traffic is done by rules based in signatures, and the user can add more rules.

Who dugg this? Made popular Mar 20, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

31 Comments

show profanity settings
expand all
  • Hexxagonal, on 10/12/2007, -0/+16VB isn't exactly the language I would choose for a layer 2 packet filter...
  • Zjm7891, on 10/12/2007, -1/+5Nifty idea, Sounds similiar to a hardware firewall except it doesn't interrupt the flow of packets... now the major question is what type of networking latency does this cause?
  • carguy84, on 10/12/2007, -1/+5Me either.

    But a side note, I have a Sonicwall TZ170, it cost like $400 or so, but when I turn on deep packet inspection, my bandwidth gets throttled from 10Mbps down to 3Mbps. I'd be wary of running this OSS IPS without first testing it on a fast connection. I didn't notice for like 3 months that my bandwidth was cut into thirds.

    FWIW,
    Chip-
  • alterself, on 10/12/2007, -0/+4yes...yes you can...
    ...but this software claims to be able to filter at level 2 of the OSI. More detailed reading necessary...back later. :)
  • prose, on 10/12/2007, -0/+3Can't you just setup a Snort IDS in promisc mode with low setting reactive modules?
  • jimmyblake, on 10/12/2007, -0/+2I used to work for one of the leading commercial IPS providers and I still have my testing rig set up, if I get a second I'll test the latency and report back. The latency on our box was at most about 210 microseconds, but that took a lot of bespoke code, ASICs and network processors - I'm curious to see the performance here.
  • diecastbeatdown, on 10/12/2007, -0/+2ah, hogwash. it was a great program back when, and glad it is getting picked up again. the support does not seem to be there as it was before but in time that could change. i mentioned snort-inline above which is relatively speaking the same thing but there is a lot of support already in place and you can use existing snort IDS rules, you just have to tweak them a bit for IPS.
  • diecastbeatdown, on 10/12/2007, -0/+2you would use snort-inline and iptables along with network bridging. sounds like a bit much to get into but it is really simple after you get your hands on it. there is a ready-made package at honeynet.org or you can roll your own simply enough.
  • socket, on 10/12/2007, -0/+2I'm sure you would be taken really seriously by a corporation calling the IDS a "proggie". roflcoper.
  • helfire, on 10/12/2007, -0/+2carguy84: This, like snort, will watch a network trunk and have no interaction with the network really, just watches what goes by, and say you have 100mbps going by it wont be able to catch everything but will see most. It sits off to the side of your network, not inline.
  • partialinfinity, on 10/12/2007, -0/+1Hahah... nice icon. I mean, I realize that I stole it from somewhere originally but at least I modified it a bit.
  • PantherX, on 10/12/2007, -1/+2I actually sent the guy an email asking about this. Will reply if I find out.
  • soulrubble, on 10/12/2007, -0/+1Seems like the most secure way to implement an IPS would be to assume that all traffic was malicious by default, but detect *benign* traffic based on signatures. You'd sleep better at night knowing there was no possibility of a 0-day exploit raining on your parade.
  • inactive, on 10/12/2007, -0/+1PITA and security are directly proportional
  • helfire, on 10/12/2007, -0/+1It would cause no network latency because it isnt "inline" on your network, it just watches what goes by the network segment. Kinda like watching cars go by on a highway, you watching them has no effect on their speed.
  • socket, on 10/12/2007, -0/+1You'd also spend most of your day looking at piles of false positives. Not a constructive use of time I would imagine.
  • Zephyrspecial, on 10/12/2007, -0/+1It would be quite secure, but also likely a PITA. Every time you want to do something new, you have to create a new signature. There are definately applications where that level of security would be valuable, though, so thanks for the idea.
  • windhawk, on 10/12/2007, -0/+0Hey partialinfinity, mine's been modified too. Can't you see the third black pixel from the corner? It's been cryptographically altered :-)
  • chemokid, on 10/12/2007, -0/+0How completely weird is this? A quote from their web site "To see an example of rule with regular expressions, click here." By clicking "here" it shows you this GIF: http://hlbr.sourceforge.net/hlbr-rule-1.gif

    Is there any particular reason why someone would feel the need to link to a screenshot of example text?? Pre tags work wonders.
  • iball, on 10/12/2007, -0/+0There are certain "networks" on the planet today that actually DO "deny all, permit by signature" with inline IDS.
    And U.S. tax dollars are paying for it. Be glad they are.
  • v3xt0r, on 10/12/2007, -1/+1LOL, good luck!
  • robche, on 10/12/2007, -1/+1i agree, anyone using this feeling any latency?
  • windhawk, on 10/12/2007, -1/+0As in a firewall: deny all unless specifically permitted.
  • windhawk, on 10/12/2007, -1/+0Just usin' my hax0rly lingo ;-) In real life I moonlight as a semi-serious security pro-fessional. I'm even paper-trained!
  • jafojsharp, on 10/12/2007, -5/+3Yeah, slows the connection down to 1.1 gigawatts compared to my uhhhh... NM, I just need some beer, a banana, and some other junk in this food processor thingy and I'll be back in business again.
  • Zeerus, on 10/12/2007, -5/+3a friend of mine has been looking for a similar program, and he even plans on creating his own using VisualBasic, this may save him some time. great link, and a great tool
  • jnorris441, on 10/12/2007, -10/+8But only if you reverse the polarity of the flux capacitors and bypass the auxilliary data node parameters. Then you need to amplify the primary modulator for parallel induction.
  • signal15, on 10/12/2007, -2/+0This looks quite interesting. Now someone just needs to whack a pretty web GUI on it and add some reporting capabilities.
  • Dohko_Xar, on 10/12/2007, -6/+3FYI, There is no such thing as a "hardware" firewall.
  • windhawk, on 10/12/2007, -3/+0Anyone actually USING this proggie care to comment on its usability, performance, functionality, viability of sigs, and how this particular proggie actually behaves in the real world? I've seen corps spend bocu bucks on IntruShields and I still don't like how broadly the sigs behave. I'd like to see an accurate IPS more than I'm interested in a really fast (but inaccurate) IPS. Thoughts?
  • Rickard, on 10/12/2007, -16/+6Edit: I'm a moron. Ignore me.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.