Filtering traffic for variants

[<shrink-wrap () hushmail com>]

Hi,

Since this has been a problem for myself lately I was wondering if anyone 
on this list might have some insight on this issue.  The problem is that I 
want to weed out the known bad traffic from the unknown bad traffic as it 
comes inbound.  An example is in order:
-Windows 2k Honeypot
-SP4 patched
-no RPC DCOM patch
-gets compromised by msblaster/lovesan (variant A)
-traffic filtered (per control requirement) outbound
-variant B comes along and can't infect because of previous activity 
(actively filtered or, eventually, honeypot patched [to stop variant A- 
i.e. waste of time])

With this example it isn't easy to use snort-inline since the exploits 
used in the worm and its variants are the same (thus the signatures that 
will fire are the same).  And this problem is the same with any worm (at 
least)- IIS ISAPI .printer vulnerability ;)

Obviously GenI controls don't handle this type of problem since the 
control (normally firewall) isn't very dynamic while GenII normally 
doesn't filter incoming- it processes outgoing (for a good reason).

Has anyone set up something to do this?

S-W