[Dshield] Firewall that bites back??? Addendum

Alberto Gonzalez ag-dshield at cerebro.violating.us
Wed Nov 20 19:37:18 GMT 2002

Now, I don't where snort got the ability to insert fw rules without some 
other patches(snortsam)
are you talking about flexresp (using resp[1] keyword?) that has the 
ability drop/reset connections
based on alerts. Or are you talking about something different?


    - Albert

[1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22 
(Resp Keyword)

Conner, Jim wrote:

>in addendum to Jason's statements:
>... not to mention that some acts could be construed as illegal or at best
>questionably legal.  I would take the advice of Jason and do your best to,
>if need be, log and block.  Logging is good so that if things really get bad
>then you have something to give authorities.  If the traffic you are seeing
>is really maliscious masked behind netbios packets then you want to show
>that as evidence.  Something like that would be good evidence as well.  On
>the other hand, choose wisely what you decide to do because the FBI doesn't
>want frivolous accusations.
>In the meantime it is best to take a passive stance at such things and keep
>your eyes and er, well, keep your eyes open.
>If everybody "fought back" when something happened to them this world would
>be in utter chaos knowing no peace.  Snort is the best tool, imo, to do
>exactly what has been suggested.  The pluggins that are available to add
>firewall rules blocking "attacks" from those on certain IP's on certain
>ports are said to be pretty decent.  Of course, if you are using windows as
>a firewall, you may have problems with this and frankly, I would not use
>windows for such a task anyway (my humble opinion...I have no desires to
>start a flame).
>good luck.
>- Jim

The secret to success is to start from scratch and keep on scratching.

More information about the list mailing list