RE: Active response... some thoughts.

On Mon, 3 Feb 2003, Gonzalez, Albert wrote:

> Blocking isn't just sending TCP rst's or the various other methods. Some

snort-inline does not add rules to the firewall. It is linked to the ipqueue facility which sends packets from kernel space to userspace where a program (snort-inline) can make a drop or accept decision. snort-inline makes this decision based on the drop rules.

> SnortSam and Snort-inline can both talk to IPtables, iptables can just

In the next release of snort-inline, it will be able to reject connections with tcp resets for tcp connections and icmp unreach for udp.

Also, combined with the Honeynet Project's rc.firewall script, snort-inline can operate with iptables at layer2 (bridging firewall). This means the device can be dropped in front of your existing system without having to change ip addressing. Also, since it is a layer 2 device, it is invisible to the bad guy (unless you put an ip on it).

Hope this helps,

Rob Received on Thu Feb 6 11:57:04 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek