[Dshield] Firewall that bites back??? Addendum
ag-dshield at cerebro.violating.us
Wed Nov 20 19:37:18 GMT 2002
Now, I don't where snort got the ability to insert fw rules without some
are you talking about flexresp (using resp keyword?) that has the
ability drop/reset connections
based on alerts. Or are you talking about something different?
 - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22
Conner, Jim wrote:
>in addendum to Jason's statements:
>... not to mention that some acts could be construed as illegal or at best
>questionably legal. I would take the advice of Jason and do your best to,
>if need be, log and block. Logging is good so that if things really get bad
>then you have something to give authorities. If the traffic you are seeing
>is really maliscious masked behind netbios packets then you want to show
>that as evidence. Something like that would be good evidence as well. On
>the other hand, choose wisely what you decide to do because the FBI doesn't
>want frivolous accusations.
>In the meantime it is best to take a passive stance at such things and keep
>your eyes and er, well, keep your eyes open.
>If everybody "fought back" when something happened to them this world would
>be in utter chaos knowing no peace. Snort is the best tool, imo, to do
>exactly what has been suggested. The pluggins that are available to add
>firewall rules blocking "attacks" from those on certain IP's on certain
>ports are said to be pretty decent. Of course, if you are using windows as
>a firewall, you may have problems with this and frankly, I would not use
>windows for such a task anyway (my humble opinion...I have no desires to
>start a flame).
The secret to success is to start from scratch and keep on scratching.
More information about the list