RE: Active response... some thoughts.

["Gonzalez, Albert" <albert.gonzalez () eds com>]

Blocking isn't just sending TCP rst's or the various other methods. Some
solutions (hogwash comes to mind) will just drop the packet. Other's like
SnortSam or Snort-inline will add firewall rules to drop the packet. Since
the three solutions I mentioned use snort and snort can understand udp,
icmp, you can drop those packets that trigger a pre-defined
criteria(pattern). I don't know of a solution that can add ACL's to routers
(though, i haven't looked for any). 

SnortSam and Snort-inline can both talk to IPtables, iptables can just
simply drop packets without having to send a RST or anything of that
nature.. is this what you were looking for? (its a fw though, not a router
like you stated). 

Cheers!
  Alberto Gonzalez

"Can you tell I only play with FREE stuff? <g>"

--
The secret to success is to start from scratch and keep on scratching.


-----Original Message-----
From: Chris Travers [mailto:chris () travelamericas com]
Sent: Friday, January 31, 2003 1:23 PM
Cc: focus-ids () securityfocus com
Subject: Re: Active response... some thoughts.


Hi--

I had an additional idea relating to quasi-active response.  For example--

 An IDS could have hooks into a routers filtering tables in order to 
temporarily ban that IP address.  This has the advantage of the RST in 
that all inbound traffic from the attacker would be stopped, but would 
create less traffic on the gateway than a RST would.  Additionally this 
could also be used against connectionless protocols such as UDP and ICMP.

It is more flexible, could be implimented on a timer to minimize the 
damage of false alarms, etc.

Best Wishes,
Chris