IDS mailing list archives
RE: Active response... some thoughts.
From: Rob McMillen <rvmcmil () cablespeed com>
Date: Wed, 5 Feb 2003 18:10:23 -0500 (EST)
On Mon, 3 Feb 2003, Gonzalez, Albert wrote:
Blocking isn't just sending TCP rst's or the various other methods. Some solutions (hogwash comes to mind) will just drop the packet. Other's like SnortSam or Snort-inline will add firewall rules to drop the packet. Since the three solutions I mentioned use snort and snort can understand udp, icmp, you can drop those packets that trigger a pre-defined criteria(pattern). I don't know of a solution that can add ACL's to routers (though, i haven't looked for any).
snort-inline does not add rules to the firewall. It is linked to the ipqueue facility which sends packets from kernel space to userspace where a program (snort-inline) can make a drop or accept decision. snort-inline makes this decision based on the drop rules.
SnortSam and Snort-inline can both talk to IPtables, iptables can just simply drop packets without having to send a RST or anything of that nature.. is this what you were looking for? (its a fw though, not a router like you stated).
In the next release of snort-inline, it will be able to reject connections with tcp resets for tcp connections and icmp unreach for udp. Also, combined with the Honeynet Project's rc.firewall script, snort-inline can operate with iptables at layer2 (bridging firewall). This means the device can be dropped in front of your existing system without having to change ip addressing. Also, since it is a layer 2 device, it is invisible to the bad guy (unless you put an ip on it). Hope this helps, Rob
Current thread:
- RE: Active response... some thoughts. Brian Laing (Feb 03)
- <Possible follow-ups>
- Re: Active response... some thoughts. Chris Travers (Feb 03)
- Re: Active response... some thoughts. Scott Wimer (Feb 05)
- Re: Active response... some thoughts. Thomas H. Ptacek (Feb 05)
- Re: Active response... some thoughts. Chris Travers (Feb 05)
- RE: Active response... some thoughts. Pete Herzog (Feb 06)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- RE: Active response... some thoughts. Rob Shein (Feb 11)
- Re: Active response... some thoughts. andre (Feb 08)