RE: Active response... some thoughts.

Blocking isn't just sending TCP rst's or the various other methods. Some solutions (hogwash comes to mind) will just drop the packet. Other's like SnortSam or Snort-inline will add firewall rules to drop the packet. Since the three solutions I mentioned use snort and snort can understand udp, icmp, you can drop those packets that trigger a pre-defined criteria(pattern). I don't know of a solution that can add ACL's to routers (though, i haven't looked for any).

SnortSam and Snort-inline can both talk to IPtables, iptables can just simply drop packets without having to send a RST or anything of that nature.. is this what you were looking for? (its a fw though, not a router like you stated).

Cheers!
  Alberto Gonzalez

"Can you tell I only play with FREE stuff? <g>"

--
The secret to success is to start from scratch and keep on scratching.


-----Original Message-----
From: Chris Travers [mailto:chris@travelamericas.com]
Sent: Friday, January 31, 2003 1:23 PM
Cc: focus-ids@securityfocus.com
Subject: Re: Active response... some thoughts.


Hi--

I had an additional idea relating to quasi-active response.  For example--

 An IDS could have hooks into a routers filtering tables in order to 
temporarily ban that IP address.  This has the advantage of the RST in 
that all inbound traffic from the attacker would be stopped, but would 
create less traffic on the gateway than a RST would.  Additionally this 
could also be used against connectionless protocols such as UDP and ICMP.

It is more flexible, could be implimented on a timer to minimize the 
damage of false alarms, etc.

Best Wishes,
Chris