IDS: RE: Active response... some thoughts.

[Rob McMillen <rvmcmil () cablespeed com>]

On Mon, 3 Feb 2003, Gonzalez, Albert wrote:

> Blocking isn't just sending TCP rst's or the various other methods. Some
> solutions (hogwash comes to mind) will just drop the packet. Other's like
> SnortSam or Snort-inline will add firewall rules to drop the packet. Since
> the three solutions I mentioned use snort and snort can understand udp,
> icmp, you can drop those packets that trigger a pre-defined
> criteria(pattern). I don't know of a solution that can add ACL's to routers
> (though, i haven't looked for any). 
snort-inline does not add rules to the firewall.  It is linked to the 
ipqueue facility which sends packets from kernel space to userspace where 
a program (snort-inline) can make a drop or accept decision.  snort-inline 
makes this decision based on the drop rules.

> SnortSam and Snort-inline can both talk to IPtables, iptables can just
> simply drop packets without having to send a RST or anything of that
> nature.. is this what you were looking for? (its a fw though, not a router
> like you stated).
In the next release of snort-inline, it will be able to reject connections 
with tcp resets for tcp connections and icmp unreach for udp.

Also, combined with the Honeynet Project's rc.firewall script, 
snort-inline can operate with iptables at layer2 (bridging firewall).  
This means the device can be dropped in front of your existing system 
without having to change ip addressing.  Also, since it is a layer 2 
device, it is invisible to the bad guy (unless you put an ip on it).

Hope this helps,

Rob