|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Gonzalez, Albert (albert.gonzalez_at_eds.com)
Date: Mon Feb 03 2003 - 12:50:41 CST
Blocking isn't just sending TCP rst's or the various other methods. Some
solutions (hogwash comes to mind) will just drop the packet. Other's like
SnortSam or Snort-inline will add firewall rules to drop the packet. Since
the three solutions I mentioned use snort and snort can understand udp,
icmp, you can drop those packets that trigger a pre-defined
criteria(pattern). I don't know of a solution that can add ACL's to routers
(though, i haven't looked for any).
SnortSam and Snort-inline can both talk to IPtables, iptables can just
simply drop packets without having to send a RST or anything of that
nature.. is this what you were looking for? (its a fw though, not a router
like you stated).
Cheers!
Alberto Gonzalez
"Can you tell I only play with FREE stuff? <g>"
-- The secret to success is to start from scratch and keep on scratching.-----Original Message----- From: Chris Travers [mailto:chris
travelamericas.com] Sent: Friday, January 31, 2003 1:23 PM Cc: focus-ids
Hi--
I had an additional idea relating to quasi-active response. For example--
An IDS could have hooks into a routers filtering tables in order to temporarily ban that IP address. This has the advantage of the RST in that all inbound traffic from the attacker would be stopped, but would create less traffic on the gateway than a RST would. Additionally this could also be used against connectionless protocols such as UDP and ICMP.
It is more flexible, could be implimented on a timer to minimize the damage of false alarms, etc.
Best Wishes, Chris
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]