IDS mailing list archives
RE: Active response... some thoughts.
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Mon, 3 Feb 2003 13:50:41 -0500
Blocking isn't just sending TCP rst's or the various other methods. Some solutions (hogwash comes to mind) will just drop the packet. Other's like SnortSam or Snort-inline will add firewall rules to drop the packet. Since the three solutions I mentioned use snort and snort can understand udp, icmp, you can drop those packets that trigger a pre-defined criteria(pattern). I don't know of a solution that can add ACL's to routers (though, i haven't looked for any). SnortSam and Snort-inline can both talk to IPtables, iptables can just simply drop packets without having to send a RST or anything of that nature.. is this what you were looking for? (its a fw though, not a router like you stated). Cheers! Alberto Gonzalez "Can you tell I only play with FREE stuff? <g>" -- The secret to success is to start from scratch and keep on scratching. -----Original Message----- From: Chris Travers [mailto:chris () travelamericas com] Sent: Friday, January 31, 2003 1:23 PM Cc: focus-ids () securityfocus com Subject: Re: Active response... some thoughts. Hi-- I had an additional idea relating to quasi-active response. For example-- An IDS could have hooks into a routers filtering tables in order to temporarily ban that IP address. This has the advantage of the RST in that all inbound traffic from the attacker would be stopped, but would create less traffic on the gateway than a RST would. Additionally this could also be used against connectionless protocols such as UDP and ICMP. It is more flexible, could be implimented on a timer to minimize the damage of false alarms, etc. Best Wishes, Chris
Current thread:
- RE: Active response... some thoughts. Brian Laing (Feb 03)
- <Possible follow-ups>
- Re: Active response... some thoughts. Chris Travers (Feb 03)
- Re: Active response... some thoughts. Scott Wimer (Feb 05)
- Re: Active response... some thoughts. Thomas H. Ptacek (Feb 05)
- Re: Active response... some thoughts. Chris Travers (Feb 05)
- RE: Active response... some thoughts. Pete Herzog (Feb 06)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- Re: Active response... some thoughts. andre (Feb 08)