Re: Scriptable defense question

[Jeffrey Walton <noloader () gmail com>]

Hi Fred,

> Is there a tool that would allow for a tcp reset, or
> connection drop, or possible bar future sessions from that IP?
> ...I am thinking of a script that parses a log,
I believe this would be dangerous in the Windows world. The events of
interest are 539 [1] and friends in the Security log. I don't believe
it is a good idea to allow a script access to the log, which usually
has a fairly tight ACL. The scenario is an attacker could [more]
easily wipe the log to cover their tracks.

With that said, there may be something out there that does what you want.

Jeff

[1] http://www.eventid.net/display.asp?eventid=539&source=Security

On 5/11/09, Fred H <sectester () yahoo com> wrote:
> Hi All,
>
> here is a scenario that has come up.
> Lets says there is a generic server that is on a dmz, and there are many password attempts on the server.  Is there a 
> tool that would allow for a tcp reset, or connection drop , or possible bar future sessions from that IP?
> I am thinking of a script that parses a log, looks for repeated attempts from the same IP, and then calls a tool that 
> drops the connection.
>
> Does anyone have any ideas on this?
>
>  Fred Hamilton
> Information Security Analyst 2
> Financial Sector
>
> [SNIP]

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------