OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Omas Jakobsson (omas.jakobssoncorren.se)
Date: Mon Mar 18 2002 - 06:39:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi!

    I belive you can make something like that work with Snort and Guardian.
    Snort supports killing of connections based on individual rules and
    Guardian monitors your snort alertsfile and runs a our own choice of
    script/command when it detects an match to snortrules.

    I would by the way, definately advise caution when implementeing a block
    based on any IDS, since this is prone to be a nightmare if anyone
    desides to spoof an attack from, say, a customer? or even your own
    servers?

    Well, you might want to read this first anyway:
    http://online.securityfocus.com/infocus/1540

    Snort
    http://www.snort.org

    Guardian
    http://www.chaotic.org/guardian/

    Regards.

    /Omas Jakobsson

    Gary Flynn skrev:
    >
    > Archive: http://msgs.securepoint.com/ids
    > FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
    > FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
    > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
    > HELP: Having problems... email questions to ids-owneruow.edu.au
    > NOTE: Remove this section from reply msgs otherwise the msg will bounce.
    > SPAM: DO NOT send unsolicted mail to this list.
    > UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
    > -----------------------------------------------------------------------------
    > Are there network "IDS" products out there that take action
    > to prevent an attack from succeeding other than to:
    >
    > 1) Notify someone to manually deal with it
    > 2) Do a TCP RST on the session
    > 3) Put a router filter in to block the offending IP
    >
    > I'm looking for something like an application level firewall
    > controlled by a NIDS engine that would drop offending
    > traffic at the ingress point. Something like Hogwash but
    > in a mainstream product capable of being put on a high-speed
    > production Internet feed.
    >
    > ( http://hogwash.sourceforge.net/ )
    >
    > thanks,
    > --
    > Gary Flynn
    > Security Engineer - Technical Services
    > James Madison University
    >
    > Please R.U.N.S.A.F.E.
    > http://www.jmu.edu/computing/runsafe