IDS & Automated Response

["Aaron D. Turner" <aturner () vicinity com>]

As many of you probably read, Lance Spitzner released a new version of
his alert.sh for Firewall-1, and included a copy of my enhanced
version of the script in the examples directory.  I'm planning on
making a number of further enhancements to the reporting (including
snmp trap support) as well as providing even more control over
automated response.

Now, this enhanced script isn't for everyone.  I'm working on the
documentation right now so that it isn't as confusing, but there is
still the very good chance of someone missconfiguring it in a way
which leaves you open to a denial of service attack.  If you don't
already understand why automated response systems can cause a DoS then
this script definately isn't for you.

However, if you find this sort of thing interesting or potentially
useful in your environment as a free alternative to more expensive
products such as ISS, please contact me.  Right now I'm looking for
ideas to make the script better, testers, as well as making decisions
regarding the script itself (like should it stay a shell script or
should I port it to Perl).  I'd appreciate anyone's input in this
matter.

Probably best to email me directly rather than to the list.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com