Hi!

I belive you can make something like that work with Snort and Guardian.
Snort supports killing of connections based on individual rules and
Guardian monitors your snort alertsfile and runs a our own choice of
script/command when it detects an match to snortrules.

I would by the way, definately advise caution when implementeing a block
based on any IDS, since this is prone to be a nightmare if anyone
desides to spoof an attack from, say, a customer? or even your own
servers?

Well, you might want to read this first anyway:
http://online.securityfocus.com/infocus/1540

Snort
http://www.snort.org

Guardian
http://www.chaotic.org/guardian/

Regards.

/Omas Jakobsson

Gary Flynn skrev:
>
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> -----------------------------------------------------------------------------
> Are there network "IDS" products out there that take action
> to prevent an attack from succeeding other than to:
>
> 1) Notify someone to manually deal with it
> 2) Do a TCP RST on the session
> 3) Put a router filter in to block the offending IP
>
> I'm looking for something like an application level firewall
> controlled by a NIDS engine that would drop offending
> traffic at the ingress point. Something like Hogwash but
> in a mainstream product capable of being put on a high-speed
> production Internet feed.
>
> ( http://hogwash.sourceforge.net/ )
>
> thanks,
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]