Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Wiese, Sean P. (swiesestate.nd.us)
Date: Mon Oct 22 2001 - 17:01:57 CDT
Not to take anything away from Cisco and their 6500's but:
You need to be very careful when blocking traffic based on a signature
match. False positives, and other "false" traffic generating signature
matches can do just as much damage as an exploit/DoS/etc....it's a fine line
to walk when deciding to "dynamically" block traffic, without human
If I am correct here, maybe Hogwash (http://hogwash.sourceforge.net/ ) can
give you what you are looking for.
<<snip from Hogwash:
How is Hogwash different from XXX?
Many of the existing projects actively defend the network by manipulating
deny rules in ipchains, netfilter, or the like. If a signature is matched,
or a condition is met, the IP is added to the deny list.
This is bad because attackers will figure out what's going on really fast.
Their next move is to spoof packets coming from yahoo.com, microsoft.com,
your DNS server, etc. and break the network. Hogwash can drop only the
suspect packets or it can modify the content in route to sanitize the
Just my .02 worth...
.. email: swiesestate.nd.us
From: Jeremy [mailto:prrthdmyrealbox.com]
Sent: Monday, October 22, 2001 4:43 PM
Subject: Snort and Cisco Pix
We were looking at the new Cisco IDS card that goes into their 6500's and
our cisco guy said that when it matches a signature it could update the pix
access lists to block traffic from that ip. We are currently running several
snort boxes and I was wondering if there was anything like that for snort.
Also, is there anything in snort now other than flex-resp that takes an
active role in stopping packets that match a certain signature?
Sure would like to save our company $40K from having to buy 2 of those
cisco ids cards.